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Automatic  Synthesis  of 
Implementations  for  Abstract  Data  Types 
from  Algebraic  Specifications 

Abstract 

Algebraic  specifications  base  been  used  extensively  to  prove  properties  of  abstract  data  types 
and  to  establish  the  correctness  of  impicmcnutkvm  of  data  types,  \l  7m  thesis  explores  an 
automatic  method  of  synthesizing  implemcfl  unions  for  data  ty|4s  fnm  their  algebraic 
specifications. 

The  inputs  to  the  sy  nthesis  procedure  consist  of  a  specification  for  the  implemented  type,  a 
specification  for  each  of  the  implementing  types,  and  a  formal  description  of  the 
representation  scheme  to  be  used  by  the  implementation.  The  output  of  the  procedure 
consist*  of  an  implementation  for  each  of  the  operations  of  the  implemented  type  in  a  simple 
applicative  language. 

I  he  inputs  and  the  output  of  the  synthesis  procedure  ate  precisely  dunaciitd.  A  formal 
hosts  for  the  method  employed  by  the  procedure  is  developed.  I  he  method  is  baaed  on  the 
principle  of  resenting  the  technique  of  prosing  the  correctness  of  an  implementation  of  a  data 
type.  I  he  restrictions  on  the  inputs,  and  the  conditions  under  «r|,ich  the  procedure 
synthesizes  an  implementation  successfully  arc  formaMy  characterized  ~ 

fimt  mi  Title  >f  Thesis  Sapenfaar:  John  V.  Guttag 
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I.  Introduction 

l.t  Goals  of  (be  Thesis 

Ibis  thesis  is  concerned  with  the  problem  of  automatic  synthesis  of  implementations 
for  abstract  data  types  front  their  algebraic  specifications.  Ihc  inputs  to  the  synthesis 
procedure  include  (i)  a  formal  specification  of  the  data  type  to  be  implemented,  (ii)  a  formal 
specification  of  each  of  the  implementing  types,  and  (iii)  a  formal  description  of  the 
representation  scheme  to  be  used  by  the  desired  implementation.  The  output  consists  of  an 
implementation  for  each  of  the  operations  of  the  implemented  type.  The  inputs  arc  specified 
using  an  algebraic  specification  technique  (14. 18,  25J. 

The  thesis  has  three  main  goals: 

(1)  To  precisely  characterise  both  the  inputs  of  the  synthesis  procedure,  and  the  output 

(2)  To  devise  an  automatic  method  of  deriving  (he  output  from  the  inputs. 

(3)  To pnn idea  formal  bass  iot the  method. 

The  method  of  derivation  is  described  in  terms  of  a  set  of  synthesis  rules.  The 
output  n  derived  by  invoking  the  synthesis  rules  a  finite  number  of  times.  The  thesis 
describes  how  the  synthesis  rules  are  used  in  deriving  a  suitable  implementation. 

The  purpose  of  providing  a  formal  basis  for  the  method  is  to  justify  the  correctness 
of  the  impfemcnutiora  derived  by  the  synthesis  procedure.  The  formal  basis  also  helps  in 
characterizing  the  scope  of  the  sy  nthesis  procedure. 

1.2  Motivation  for  The  Research 

The  reliability  of  computer  software  has  received  a  great  deal  of  attention  in  recent 
yean.  Rapid  advances  in  hardware  technology  have  dramatically  decreased  the  cost  of 
hardware  relative  to  software.  As  a  result,  the  cost  of  producing  and  maintaining  software  has 
become  a  major  concern.  An  effective  way  of  improving  the  reliability  and  the  cost  of 
software  simultaneously  is  to  find  methods  to  decrease  the  effort  required  to  produce  correct 
software.  At  present,  active  research  is  underway  |43)  in  exploring  this  avenue.  Several 


approaches  have  been  proposed,  each  of  which  can  be  pul  under  one  of  the  following  three 
categories  based  on  the  degree  of  automation  it  offers:  manual  approaches,  semi-automatic 
approaches,  and  automatic  approaches. 

Ihc  manual  approach  advocates  discipline  in  human  programming  [31. 11. 41).  It 
consists  of  identifying  new  mechanisms  of  abstractions  (32)  that  encourage  the  advocated 
discipline.  The  most  significant  contribution  of  this  approach  lias  been  the  inducement  of  a 
change  in  the  attitude  of  programmers  towards  the  style  of  programming.  Concrete 
nunifeuriora  of  tlis  change  include  the  birth  of  the  concept  of  abstract  data  types,  and  the 
development  of  new  languages  (34. 29. 52J  (omppon  data  types. 

The  goal  of  the  semi-automatic  approach  is  to  seek  machine  help  to  establish  the 
correctness  of  programs  written  by  the  user.  Formal  methods  are  developed  to  specify  and 
verify  properties  of  pieces  of  software  (13.  11  20):  systems  arc  built  to  carry  out  verification 
automatically  or  vcmi-aulonuticaRy  (27.  15)  A  variant  of  the  verification  method  is  the 
programmer's  apprentice  method  (19)  The  programmer's  apprentice  provides  an  interactive 
programming  environment  built  up  by  a  tef  of  took  which  helps  the  programmer  in 
preparing  and  checking  his  work  in  several  ways  Ihc  look  range  from  simple  editors  to 
more  sophisticated  ones  that  can  analyte  and  critici/c  a  user's  program  during  the  various 
phases  of  programming  Yet  another  way  of  prov  iding  partial  machine  help  is  to  build 
systems  (2.  3.  48]  that  will  help  apply  transformation  rules  chosen  from  a  catalogue  of 
equivalence  preserving  transformations  The  programmer  can  refine  or  improve  the 
efficiency  of  his  programs  by  judiciously  choovnj  the  appropriate  rules  from  the  catalogue. 

The  automatic  approach,  under  which  our  research  falls,  seeks  to  automate  a  part  or 
ail  of  the  programming  process  itself.  Its  goal  is  to  generate  code  for  programs  from  their 
high-level  declarative  descriptions,  thereby  relieving  the  programmer  of  having  to  worry 
about  error-prone,  low-level  details  of  programming  Though  this  may  one  day  be  feasible, 
experience  (1.  36]  in  the  hot  few  yean  shows  that  not  nearly  enough  k  known  about  the 
process  k>  automate  it  completely.  Two  remedies  have  been  used  with  some  success  to  break 
the  stalemate  in  the  situation:  The  first  it  to  restrict  the  domain  for  which  programs  are  being 
synthesized  (4):  the  second  is  to  expect  the  user  to  furnish  more  information  about  the  desired 
properties  of  the  program  |6)  to  guide  the  synthesis  procedure. 
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A  third  course  of  action  that  has  not  so  far  been  employed  in  earnest  is  to 
complement  the  automatic  approach  with  recent  advances  in  programming  methodology. 
(Bauer,  ctal.,  (3)  have  employed  this  idea  with  the  semi-automatic  approach.)  In  particular, 
the  idea  of  designing  software  as  a  hierarchy  of  abstractions  can  be  used  to  aid  the  synthesis 
procedure.  Such  a  hierarchical  design  for  the  program  reduces  the  amount  of  refinement 
required  to  be  performed  by  the  synthesizer  at  each  step. 

The  thesis  lakes  into  consideration  ail  the  factors  mentioned  above.  Within  the 
general  area  of  programming,  we  restrict  ourselves  to  the  study  of  synthesis  of 
implementations  for  abstract  data  types.  We  believe  that  the  synthesis  of  implementations  for 
abstract  data  types  is  amenable  to  automation  because  the  specification  techniques  for  data 
types  have  been  extensively  studied,  and  hence,  are  better  understood.  We  also  expect 
additional  information  about  the  implementation  to  be  furnished  by  the  user.  This 
information  is  provided  in  the  form  of  a  description  of  the  representation  scheme  to  be  used 
by  the  implementation. 

I J  Related  Work 

The  works  related  to  ours  lie  partly  in  the  area  of  general  program  synthesis  and 
partly  in  the  area  of  automatic  implementation  of  data  structures. 

In  the  general  area  of  synthesis,  the  work  most  closely  related  to  ours  is  that  of 
Darlington  |8.  9)  He  has  developed  a  system  that  uses  a  set  of  transformation  rules  to 
improve  semi-automat icalty  the  efficiency  of  recursive  programs  and  also  to  construct  new 
recursive  programs.  Recently,  he  has  abo  applied  the  transformation  rales  to  synthesize 
implementations  for  data  types  PI  The  synthesis  rales  developed  in  the  thesis  are  closely 
related  to  his  The  difference  Hes  in  the  method  in  which  the  synthesis  rules  are  used  to 
synthesize  implementations  Our  method  is  based  on  verification  techniques  of  data  types. 
Our  work  has  two  advantages  over  his.  Firstly,  the  class  of  implementations  derived  by  our 
method  is  larger  than  his  This  is  because  we  develop  more  ways  of  using  the  synthesis  rules 
for  deriving  implementations  Secondly,  we  formally  characterize  the  conditions  under  which 
the  synthesis  rales  yield  a  correct  i  nplementation  for  data  types 
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The  ZAP  system  (30]  of  Feather's  is  a  program  transformation  system  in  which  the 
basic  rules  of  manipulations  arc  similar  to  our  synthesis  rules.  His  work  is  different  from  ours 
in  two  ways.  Firstly,  he  is  concerned  with  developing  higher  level  strategics  to  apply  the  basic 
tranformation  rules  (in  general,  any  equivalence  preserving  rules)  for  the  construction  of 
large-sized  programs.  Secondly,  his  approach  is  less  automatic  than  ours.  The  emphasis  in 
the  design  of  7-AP  is  to  use  "metaprogrnms"  to  improve  communication  between  the  user  and 
the  system.  There  are  two  inputs  to  ZAP:  the  specification  of  the  program  to  be  constructed 
and  a  metaprogram  which  consists  of  a  sequence  of  commands  that  direct  the  transfonmation 
process.  The  metaprogram  expresses  the  higher  level  strategy  to  be  used  in  applying  the 
tranformation  rules. 

Within  the  area  of  automatic  implementations  for  data  structures,  the  work  of 
Ok  rent  (40]  has  goals  closest  to  ours.  Ok  rent's  method  uses  only  the  algebraic  specifications 
of  the  data  types  involved  as  inputs.  Because  of  the  lack  of  information  about  the  desired 
representation  scheme,  the  implementations  generated  by  his  synthesis  procedure  arc  not  as 
interesting  as  the  ones  generated  by  ours.  He  limits  severely  the  range  of  the  data  types 
acceptable  as  inputs.  He  also  concentrates  on  a  fixed  set  of  target  structures  such  as 
contiguous  memory  and  heap  memory  for  the  implementations. 

Another  work  in  this  area  that  is  related  to  ours  is  that  of  Subrahmanyam’s  (SO). 
Subrahmanyam's  method  like  Okrent's  does  not  use  any  information  about  the 
representation  scheme.  His  method  has  a  provision  for  the  user  to  specify  performance 
constraints  on  the  desired  implementation.  The  method  is  based  on  partitioning  the 
operation  set  of  the  data  type  into  a  kernel  set  and  a  nonkcmel  scl  Implementations  for  the 
kernel  operations  are  derived  by  identifying  pairs  of  functions  (on  the  representation  type) 
called  retrievable  insertion  /unction  pairs.  Implementations  for  the  nonkemel  operations  are 
derived  in  terms  of  the  implementations  for  the  kernel  operations  so  as  to  meet  the 
performance  constraints. 

Most  of  the  other  research  in  the  automatic  generation  of  data  structure 
implementations  has  been  concerned  with  the  automatic  selection  of  an  optima) 
representation  for  data  structures.  Rowe  and  Tonge  (47),  Rovner  (46),  and  Tompa  and 
Gotlieb  |51]  have  studied  optimization  problems  for  a  language  containing  a  fixed  set  of  high 
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Icvcl  data  structures.  First  they  build  a  library  of  possible  implementations  for  each  fixed 
high  level  data  structure  in  the  language,  along  with  a  parameterized  description  of  the 
performance  of  each  library  entry.  Then  they  proceed  to  select  the  "best"  implementation  for 
each  instance  of  the  data  structure,  hy  making  a  flow  analysis  of  the  program  that  uses  the 
data  structure.  The  goal  of  our  work  is  to  derive  an  implementation  for  a  given 
representation  rather  than  to  select  an  optimal  one  among  a  given  set  of  representations. 

Standish.  cLal.,  [49].  Bauer.  cLal.,  (3).  and  Wile.  cLal.  [2]  have  developed  catalogues 
of  equivalence  preserving  transformation  rules  as  a  part  of  program  development  systems. 
The  programmer  can  refine  or  improve  the  efficiency  of  his  programs  by  instructing  the 
system  to  apply  appropriate  transformation  rules  on  the  programs.  None  of  these  worts, 
however,  deals  explicitly  with  the  implementation  of  data  types.  It  is  possible,  with  some 
modifications,  to  incorporate  our  synthesis  rules  as  a  part  of  their  system. 

1.4  Organization  of  the  Thesis 

The  next  chapter  gives  an  overview  of  the  synthesis  procedure.  The  third  chapter 
describes  in  detail  the  inputs  of  the  synthesis  procedure,  and  formalizes  the  restrictions  on  the 
inputs.  The  synthesis  procedure  derives  an  implementation  in  two  stages:  The 
implementation  is  first  derived  in  a  preliminary  form  which  is  then  transformed  into  a  final 
form.  The  first  stage  of  the  procedure  is  the  topic  of  the  fourth  and  the  fifth  chapters.  The 
sixth  chapter  describes  the  second  stage.  The  last  chapter  gives  the  concluding  remarks. 
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2.  An  Overview  of  the  Synthesis  Procedure 

This  chapter  gives  an  overview  of  the  synthesis  procedure.  The  first  section  gives  a 
scenario  of  the  synthesis  procedure  from  a  user's  point  of  view.  It  briefly  describes  the  form 
of  the  inputs  to  the  synthesis  procedure,  and  the  form  of  its  outputs  via  an  example.  The 
second  section  gives  a  summary  of  the  synthesis  procedure.  It  points  out  the  nontrivial  issues 
involved  in  the  method  employed  by  the  procedure  for  deriving  an  implementation.  The  last 
section  describes  the  scope  of  the  procedure. 

II  The  User's  View 

Consider  the  following  scenario  involving  a  programmer.  The  programmer  has 
designed  an  abstract  data  type  (the  implemented  type)  to  be  used  in  solving  one  of  his 
programming  problems.  He  is  now  seeking  the  help  of  a  sy  stem  for  implementing  the  type 
using  another  data  type,  called  the  representation  type:  The  representation  type  is  chosen  by 
the  user  himself.  Furthermore,  he  is  willing  to  furnish  information  about  how  he  wants  the 
values  of  the  representation  type  to  be  used  in  representing  the  values  of  the  implemented 
type.  The  system  is  c*nected  to  generate  automatically  (or  with  some  help  from  the  user)  an 
implementation  for  the  implemented  type  that  uses  the  representation  type  as  the 
representation  in  a  manner  consistent  with  that  suggested  by  the  user. 

Viewed  as  a  black  box,  the  inputs  to  the  procedure  are: 

(i)  A  specification  of  the  implemented  type, 

(ii)  a  specification  of  the  representation  type,  and  specifications  of  all  the  types  used  in 
the  specification  of  the  representation  type.  We  refer  to  the  representation  type,  and 
all  the  types  its  specification  uses  as  the  implementing  types. 

(iii)  an  association  specification  that  describes  how  the  values  of  the  representation  type 
are  to  be  used  in  representing  the  values  of  the  implemented  type;  this  corresponds 
to  the  representation  (or  abstraction)  function  defined  by  Hoare  in  |21J. 

The  output  of  the  synthesis  procedure  consists  of  an  implementation  for  each  of  the 
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operations  of  the  implemented  type  in  terms  or  the  operations  oT  the  implementing  types.  To 
get  a  better  idea  about  the  inputs  and  the  output,  let  us  consider  an  example  of  deriving  an 
implementation  for  the  data  type  Queuejat  in  terms  of  CtrcJJst  Queuc.lnt  is  a 
finst-in-first-out  queue  of  integers.  Elements  are  added  to  a  queue  at  the  rear  end.  and 
removed  from  the  front  end.  Clrcjist  is  a  list  of  integers.  Elements  are  inserted  into  and 
removed  from  a  list  at  the  same  end.  which  is  the  rear  end  of  the  list  lltc  operation  that  gives 
Cire.Ust  a  circular  character  is  Rotate.  Rotate  moves  every  clement  in  a  list  by  one  position 
towards  the  rear  end  in  a  cyclic  fashion,  i.e..  the  element  at  the  rear  end  is  moved  to  rhe  front 
end 

In  this  fcxample,  the  implemented  type  is  Queuejnt  and  the  representation  type  is 
Ckc.Ltst.  Clrc.Lkt  uses  (this  notion  is  defined  precisely  in  the  next  chapter)  the  data  types 
Integer  and  Rool.  so  the  implementing  types  include  Circ_List.  Integer,  and  (tool.  Figures  1, 
2.  and  3  give  the  inputs  to  the  synthesis  procedure.  (The  figures  also  give  an  informal 
description  of  the  operations  of  the  data  types.)  Specifications  of  Integer  and  Bool  should 
also  be  given  as  inputs,  although  we  have  not  shown  them  here.  The  language  used  to  express 
the  data  type  specifications  is  cqualional,  similar  to  the  ones  developed  in  [14. 18. 25].  One  of 
the  crucial  differences  is  the  following:  We  assume  that  the  specification  of  every  data  type 
identifies  a  basis  for  the  data  type.  A  basis  is  a  minimal  set  of  operations  of  the  data  type  that 
can  be  used  to  generate  all  the  values  of  the  type.  The  operations  in  the  basis  are  called  the 
generators  of  the  type.  For  example,  the  operations  Create  and  Insert  can  be  the  generators 
for  Circ_Ust.  The  specification  language  is  described  in  the  next  chapter. 

Fig.  3  gives  the  association  specification  for  the  implementation  to  be  derived.  It 
characterizes  the  representation  scheme  to  be  used  by  the  implementation.  The  association 
specification  is  expressed  in  two  parts.  The  first  pan  specifies  the  invariant  5.  3  is  a  predicate 
that  specifies  the  set  of  values  that  may  be  used  to  represent  the  values  of  the  implemented 
type:  only  those  values  of  the  representation  type  for  which  3  is  Trite  may  be  used  to 
represent  the  values  of  the  implemented  type.  In  the  present  example,  3  is  True  for  all  values 
of  Grc_Lfct  The  second  part  specifies  the  abstraction  Junction  X\  X  maps  a  value  the 
representation  type  to  the  value  of  the  implemented  type  that  the  former  may  represent  In 
the  present  example  X  specifies  the  following  mapping:  The  empty  queue  is  represented  by 
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Flg.  I.  Specification  or  Queue  Jat 

Queuejnt  is  Nullq,  Fnqueuc.  Front,  Dequeue,  Apfeai  Size 

Defining  Types 

Bool,  lot 

Operations 

Nullq  :->  Queue  Jot 

Fnqueuc  :  Queuejnt  X  lot  *>  Queue  Jut 

Front  Queue  Jut  *>  lot  U  |  FRKOR  ) 

Dequeue  :  Queue. lot  •>  Queue. I nt  U  {  KRROR  } 

Append  :  Queue. lot  X  Queuejnt  •>  Queue. lot 
Size  :  Queue,  lot  •>  lot 

Comment- 

Queuejnt  is  a  I  I  HO  queue  of  integers,  Nullq  constructs  the  empty  queue.  Knqueue  adds  an  element  to 
a  queue  at  the  rear  end.  Dequeue  removes  the  element  at  the  front  of  a  queue.  Front  returns  the 
element  at  the  front  of  a  queue.  Append  joins  two  queues  adding  the  elements  of  the  second  argument 
at  the  rear  of  the  first  argument.  Size  computes  the  number  of  elements  in  a  queue. 

Basis 

{  Nullq,  Knqueue  ) 

Axioms 

(1)  Front  (Nullq)  a  KRROR 

(2)  Fronl(Knqucuc<Nullq,  e))  a  e 

(3)  Fronl(Fjiqueuc(Fnqucuc(q,  cl),  c2))  a  Front(Knqucuc(q,  el)) 

(4)  Dcqucuc(Nullq)  a  KRROR 

(5)  Dequeue^  Knqucuc(  Nullq,  e))  a  Nullq 

(i)  I )cqucue( Kjiqueucf  Fnqoeuefq,  cl).  e2))  a  Fnqueoc(l>cqucuc(Knqucoc(q,  el)),  el) 

(10)  AppemRq,  Nullq)  a  q 

(11)  Appcnd(q1.  Enqucuc(q2,  c2))  a  Kaqucuc(Appcnd(qI,  ql),  e2) 

(12) SiM(Nullq)a0 

(13)  Sizc(Enqoeue(q.  c»  a  Sta(q)  +  1 


> 


I 
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Hf.2.  Specification  of  Ckc.liit 

Gre.list  a  Create,  Insert.  Value.  Remote.  Rotate,  Kmpty.  Join 

Defining  Types 

loicter.  Boolean 

Operations 

Create  :  •>  Gre.list 

Insert  :  Clrc.Ust  X  Intrgrr  •>  Gre.list 

Value  :  Gre.list  •>  Integer  U  {  KRROR  } 

Remote  :  Gre.list  •>  Gre.list  U  |  KRROR  } 

Rotate  :  Gre.list  ■>  Gre.list 

Kmpf  y  :  Gre.list  ->  Boolean 

Join  :  Grcjbt  X  Gre.list  •>  Gre.Rst 

Comment 

<  Irc.l.ist  is  a  list  of  integers  with  a  front  end  and  a  rear  end.  Create  constructs  an  empty  list:  the  front 
and  the  rear  ends  of  an  empty  list  arc  the  same.  Insert  inserts  an  element  into  a  list  at  the  rear  end. 
Value  returns  the  element  at  the  rear  end  of  a  list.  Remote  removes  the  clement  at  the  rear  end  from  a 
list.  Rotate  motes  every  clement  in  a  list  by  one  position  towards  the  rear  end  in  a  cyclic  fashion,  Le¬ 
the  element  at  the  rear  ts  mowd  to  the  front  Kmpty  checks  if  a  list  is  empty.  Join  joins  two  lists  by 
positioning  the  first  argument  in  front  of  the  second. 

Basis 

{Create.  Insert} 

Axioms 

(1)  VahtcfCreate)  a  KRROR 

(2)  Valuc(lnsert(c.  I))  •  I 

(3)  Rcmovc<Creatc)  a  KRROR 

(4)  Rrmotcflascrlfc.  i»  ■  c 

(5)  R ot at c<C reate)  a  Create 

(6)  Rotatc<lMcn(Crcate.  I))  ■  lu*ert(Cr*ate,  I) 

(7)  Rotatc(lasen(lascrt(c,  il).  12)))  ■  lnsrrt(Rotatc(Incrt(c,  12)).  II) 

(8)  FjuptrfCmrtc)  a  true 

(9)  Kmpty<lMcrt(c.  I))  ■  fill* 

(10)  Join(c.  Create)  ■  c 

(I  I)  Jotn(c,  Inserted,  i))  a  lasrrt(Join(c,  d).  I) 
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Flg.1  Association  Specification 

ItminaHl 

3(c)  a  True 

Abu  roc  turn  burnt  ton 

U(Cintt)  ■  NmO^ 

^(Iikci1((.  i))  a  aM_nt_bca4(  jUc),  i) 

j4«L*-hca4<,Nulk}.  i)  a  KnqovMNiilIq.  I) 
aM_at_hrsMl(^JM|Mrttc<(i.  i)  il)  ■  Faqvc0c(aM_at_lica4(q.  UK  i) 


the  empty  list  A  nonempty  queue  is  represented  by  a  list  whose  elements  arc  identical  to  the 
ones  in  the  queue,  but  are  arranged  in  the  reverse  order.  The  motivation  Tor  this 
representation  scheme  is  that*  reading  and  deletion  of  elements  from  a  queue  can  be 
performed  efficiently.  Note  'hat  the  specification  of  JL  uses  an  auxiliary  function 
A«M_at_hcad  on  Queue  Jat;  the  auxiliary  function  adds  an  element  at  the  front  end  of  a 
queue. 

Fig.  4  shows  the  output  of  the  synthesis  procedure.  The  output  defines  a  set  of 
functions,  called  the  implementing  /unctions,  on  OrcJJst  Every  implementing  function 
implements  an  operation  of  Queoejat  The  implementing  function  implementing  the 
operation  f  is  given  the  name  F.  For  instance.  NlfLLQ  implements  Null*.  The  target 


Fig.  4.  An  Impfementatioa 
NULLQO ::  a  CruatuO 

ENQUEUEfc, )) :: »  Rotateflnsertfc, ))) 

FRONT(c) ::  •  Valuefc) 

OEOUEUE(c) ::  a  Rcmovnfc) 

APPENDfc,  d) ::  a  Joinfd,  c) 

SIZE(c) ::  a  H  Empty(c)  then  0 

else  SIZEfRemovefc))  ♦  1 
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language  used  to  express  the  implementations  for  the  operations  is  a  simple  applicative 
language.  Ihc  only  mechanisms  available  m  the  language  to  build  programs  are:  functional 
composition,  conditional  expressions,  and  recursive  function  definition.  Ihe  language  uses  a 
method  of  defining  function  that  is  customarily  used  in  applicative  languages  like  pure  LISP 
|)7J.  A  function  V  is  defined  using  the  following  schema:  Ff*,, . . . ,  *k) e.  where 
v(,...,»k  arc  variables,  and  e  is  an  expression  containing  those  variables.  A  function 
definition  may  use  the  operations  of  the  implementing  types  as  base  functions. 

2.2  A  Summary  of  the  Synthesis  Procedure 

Ihc  synthesis  procedure  is  summarized  in  an  illustrative  fashion  using  the  example 
already  introduced.  This  is  done  in  the  first  two  subsections.  In  the  example  introduced,  the 
invariant  J  is  a  trivial  one:  It  is  True  on  all  values  In  the  third  subsection,  we  highlight  the 
issues  involved  in  deriving  an  implementation  in  the  presence  of  a  nontrivial  invariant  by 
introducing  a  new  example. 

Ihc  method  used  by  the  procedure  to  derive  an  implementation  is  based  on  treating 
every  equation  in  the  specifications  as  a  rewrite  rule.1  The  procedure  begins  by  combining  all 
the  input  spccifreatioi.j  into  a  rewriting  system  called  the  Initial  World (IW).  (|\V  is  obtained 
by  simply  replacing  the  symbol  ■  by  -•  in  the  input  specifications.)  The  procedure  assumes 
that  IW  satisfies  the  uniform  termination  property  as  well  as  the  unique  termination  property. 
(IW  is  said  to  be  convergent  in  such  a  case.  This  is  similar  to  the  Church-Rosser  property.) 
The  uniform  termination  property  ensures  that  every  chain  of  reductions  starting  (torn  an 
expression  terminates.  The  unique  termination  property  ensures  that  ill  chains  of  reductions 
starting  from  an  expression  terminate  in  the  same  expression.  These  two  properties  ensure 
that  the  equivalence  relation  characterized  by  a  specification  can  be  computed  by  using  the 
rules  in  IW  for  reducing  expressions.  The  procedure  also  assumes  that  there  is  a  predefined 


2.  A  rewrite  rule  (written  a  -*  fi)  is  an  ordered  pair  -  a  left  hand  side  and  a  right  hand  side  -  of 
expressions.  A  rewrite  rule  can  be  used  to  reduce  any  expression  that  is  an  instance  of  the  left  hand 
side  into  an  expression  that  is  an  instance  of  the  right  hand  side.  A  rewriting  system  is  a  set  of  rewrite 
rules 
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termination  ordering  (>)  on  expressions  which  can  be  used  for  showing  the  uniform 
termination  property  of  rewriting  systems. 

The  synthesis  procedure  derives  the  implementation  in  two  stages.  In  the  first  stage 
the  procedure  derives  the  implementation  in  an  intermediate  form.  The  imennediate  form  is 
called  a  preliminary  implementation.  In  the  second  stage  the  preliminary  implementation  is 
transformed  into  an  implementation  in  the  target  language  ( target  impli-mentation ).  Fig.  S 
gives  a  preliminary  implementation  for  Qwcttc.lat  that  is  consistent  with  the  association 
specification  given  in  Fig.  3.  There  arc  two  crucial  differences  between  a  preliminary 
implementation  and  a  target  implementation.  Die  first  one  concerns  the  methods  used  for 
defining  the  implementing  functions.  A  preliminary  implementation  defines  a  function  as  a 
set  of  rewrite  rules.  7bc  rewrite  rules  defining  an  implementing  function  F  arc  the  ones  that 
have  F  as  the  outermost  symbol  on  their  left  hand  side.  For  instance,  rules (2)  and  (3)  in 
Fig.  5  define  KNQUFLF.  The  second  difference  «  that  the  only  operations  of  the 
representation  type  that  are  permitted  to  appear  in  a  preliminary  implementation  are  its 
generators.  A  target  implementation  is  permitted  to  use  all  the  operations  of  the 
representation  type.  In  the  example  under  consideration,  for  instance,  a  preliminary 
implementation  may  use  all  the  operations  of  Integer  and  Bool,  but  only  the  generators 


Fig.  5.  A  Preliminary  loplttmtiw 
(DNULLQO-  CroatoO 

(2)  ENOUEUEfCroato.  |)  -  InaortfCroato,  J) 

(3)  ENOUEUEOnaortfc,  i),  J)  -  InsortfENOUEUEfc,  J),  I) 

(4)  FRONT(Croato)  -» ERROR 

(5)  FRONTOnsortfe.  I))  -  I 

(0)  OEOUEUEfC  roato)  -  ERROR 

(7)  OEOliE  UEflnao  rt (c  ,0)  -  e 

(8)  APPENOfc,  Croat#}  -  c 

(»)  APPENOfc,  tnsortfd,  i»  -  APPENDfENQUEUEfc,  0,  d) 

(10)  SIZE(Croato)  -*  0 

(1 1)  SIZEflnaortfc,  0)  -  SIZE(c)  ♦  1 


A 
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(Create,  and  Insert)  of OrcJJst 

There  are  two  reasons  for  the  decomposition.  Rrstly,  it  makes  the  synthesis 
procedure  more  modular.  Target  language  dependent  transformations  are  separated  from  the 
language  independent  transformations.  The  decomposition  also  lends  itself  naturally  to 
deferring  efficiency  improving  transformations  to  the  later  sage.  In  the  first  stage  one  can 
concentrate  on  deriving  a  simple  correct  implementation.  Secondly,  the  decomposition 
reduces  the  complexity  of  the  structure  of  synthesis  procedure.  Ihe  first  stage  deals  with  the 
technique  for  deriving  nn  implementation  from  the  specification  of  the  data  type.  The 
second  stage  deals  with  the  techniques  lor  deriving  alternate  forms  of  implementations  from 
an  preliminary  implementation.  Ihe  decomposition  provides  a  better  insight  into  the 
synthesis  method,  and  simplifies  the  description  of  the  synthesis  procedure.  The  next  two 
subsections  give  an  overview  of  the  two  sages  of  the  synthesis  procedure. 

2.2.1  Stage  I:  Preliminary  Implements (loa  Derivation 

A  preliminary  implementation  of  a  data  type  is  correct  with  respect  to  an  abstract 
function  X  if  the  following  condition  holds:  Every  implementing  function  F  (that  implements 
the  operation  0  defined  by  the  preliminary  implementation  is  a  total  function  on  the 
representation  values  » that  the  homomorphism  property  X(F(x))  «  gX(x))  holds.  Here  X 
is  a  function  on  the  values  of  the  implementing  types;  X  behaves  exactly  like  the  abstraction 
function  X  on  the  representation  values,  and  like  an  identity  function  on  all  other  values.  The 
synthesis  procedure  derives  a  preliminary  implementation  so  that  the  above  criterion  of 
correctness  is  satisfied. 

The  procedure  synthesizes  the  preliminary  implementation  for  one  operation  at  a 
time  by  deriving  a  separate  set  of  rewrite  rules  for  every  operation.  Since  the  method  used  is 
the  same  for  every  operation,  we  illustrate  the  synthesis  of  only  a  couple  of  operations.  The 
procedure  first  determines  the  left  hand  sides  of  all  the  rules  of  the  preliminary 
implementation.  Then,  k  determines  a  suitable  right  hand  side  for  each  of  the  rules 
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111.1  Determining  the  Ixfl  Hand  Side 

One  of  the  correctness  requirements  of  a  preliminary  implementation  is  that  it  must 
define  a  total  function  on  the  representation  type.  This  requirement  is  ensured  by  deriving 
the  rules  of  the  preliminary  implementation  so  that  (I)  they  satisfy  the  uni  ‘urn  termination 
property,  and  (2)  they  are  * tit-spanntd  The  first  properly  is  ensured  while  deriving  die  right 
hand  side  of  the  rules.  The  second  property  h>  used  to  determine  the  left  hand  sides. 

The  second  properly  requires  the  left  hand  side  expressions  of  the  rules  to  be  of  a 
particular  form  Tor  instance,  any  pair  of  rules  that  have  the  form  given  below  constitute  a 
well-spanned  set  of  rules  for  ENQUEUE.  (In  the  following  Trln,  and  TrhSj  arc  used  as  place 
holders  for  expressions  to  be  determined  later.) 

ENQUrUMCreafe.0  -  Trim, 

ENQUEL  Mlmertfc.  ft  D  - 

Note  that  the  left  hand  sade  of  each  of  the  above  rules  consists  of  ENQUEUE 
applied  to  arguments  that  arc  generator  expressions  -'  The  set  of  arguments,  i  c .  sequences  of 
generator  expressions,  to  ENQUEUE  on  the  left  hand  ode  of  the  rules  is 
ArgsSet  =  {«'rvale.i>.  <lmert(c.  ftp}  ArgsSet  spans  the  set  of  all  ordered  pain  of 
generator  constants.  In  other  words,  every  pair  of  generator  constants  is  an  instance  of  one  of 
the  arguments  in  ArgsSet  This  property  ensures  that  the  definition  of  ENQUEUE  accounts 
for  all  the  representation  values.  It  is  easy  to  build  a  procedure  that  automatically  generates  a 
well-spanned  ArgsSet.  once  the  generators  of  the  representation  type  are  identified.  Thus,  an 
appropriate  set  of  left  hand  sides  for  the  rewrite  rules  to  be  derived  can  be  determined 
automatically. 


3.  A  generator  expression  is  an  cxnresakm  in  which  die  only  function  symbols  in  solved  are  die 
generators.  A  generator  constant  is  a  generator  expression  that  does  not  contain  any  variables. 
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12.1.2  Determining  the  Right  Hand  Side 

lire  right  hand  sides  of  the  rules  are  determined  so  that  the  preliminary 
implementation  satisfies  the  homomorphism  property  mentioned  earlier.  For  this,  the  Initial 
World.  IW.  is  fust  supplemented  with  a  set  of  rules,  called  the  Dt-rules.  The  ’JG-mlcs  express 
the  homomorphism  properly:  there  is  an  3G_rulc  for  every  implementing  function.  For 
instance.  the  Xrule  corresponding  to  ENQUEUE  is 
XfENQLEUHc.  J»  —  KaqueucOGfc).  X(j)).  Let  us  call  the  supplemented  system  the 
Perturbed  IPo/A/fPW).4 

The  I’cpurbcd  World  (PWl  is  then  used  to  derive  a  set  of  synthesis  equations,  one 
equation  for  every  rule  in  the  preliminary  implementation.  The  right  hand  side  of  a  rule  is 
determined  Trim  the  right  hand  side  of  the  corresponding  synthesis  equation.  For  instance, 
the  synthesis  equation  aw  responding  to  the  rule  ENQUEUE(liiscrt(c,  i),  j)  -*  TrltSj  is  an 
equation  of  the  form  XU.NQUfUlflM«t(c,  I),  j))  a  X(7rtej)  that  satisfies  the  following 
conditions: 

(1)  X<  E.NQL  Eli E(  Inert  (c,  I),  j))  ■  XfTrhsp  is  a  theorem  ofPW 

(2)  ENQL Et Mlncrtfc.  iXJ)  >  Trks, 

(3)  "Mttj  contains  only  the  permitted  operations  of  the  implementing  types,  and  the 

implementing  functions. 

The  Synthesis  Theorem  in  chapter  4  shows  that,  when  a  preliminary 
implementation  is  well-spanned,  the  preliminary  implementation  satisfies  the 
homomorphism  property  if  the  synthesis  equation  corresponding  to  each  of  the  rules  in  the 
preliminary  implementation  is  a  theorem  of  PW.  Note  that  the  second  condition  above 
ensures  that  the  rewrite  rules  derived  satisfy  the  uniform  termination  property.  The  third 
condition  ensures  the  syntactic  correctness  of  the  preliminary  implementation. 


4.  Note  that  since  %  is  a  function  that  behaves  essentially  like  X  the  rewrite  n»lcs  specifying  H  in  PW 
are  obtained  by  simply  replacing  jt  by  X  in  the  asociation  specification. 
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2.2.0  Deriving  the  Synthesis  Equations 

Every  sy  nthesis  equation  or  the  preliminary  implementation  is  derived  with  the  help 
of  two  inference  rules  allied  the  synthesis  rules.  Ihc  synthesis  rules  arc  designed  for 
generating  theorems  of  PW  that  have  the  same  left  hand  sides,  but  different  right  hand  sides. 
For  deriving  a  synthesis  equation,  the  synthesis  rules  arc  invoked  repeatedly  a  finite  number 
of  times  to  generate  a  scries  of  theorems  until  the  desired  equation  is  generated.  For  instance, 
the  synthesis  equation  corresponding  to  the  rule  ENQUEllE(lascrt(c,  i),  j)  — ♦  7rhs:  is  derived 
by  generating  a  scries  of  theorems  that  have  3G(  ENQU  EU  E(  I nscrt(c,  I),]))  as  their  left  hand 
side.  Ihe  generation  continues  until  a  theorem  whose  right  hand  side  qualifies  the  theorem 
to  be  a  synthesis  equation  is  encountered. 

The  idea  used  for  generating  an  equation  is  to  reverse  the  method  of  demonstrating 
that  such  an  equation  is  a  theorem  of  I'W.  The  central  notion  used  in  the  generation  is  a 
mechanism  aided  expansion.  Expansion5 6  is  the  opposite  of  reduction.  It  is  the  act  of 
applying  a  rewrite  rule  to  an  expression  from  right  to  left. 

For  example,  consider  die  rule  3C(FNQUEUE(c.j))  —  FnqucucOCfc),  3G(i)).  a*'  I 
the  expression  Add^tjK»d{  Enqueue  3G(Creatc).  X(i)).  k).  The  subexpiesskc 

Enqueue(X>(Create).  3C(i»  is  an  instance  of  the  right  hand  side  of  the  rule  for  the  substitution 
{ c~  Create,  j.- 1}.  The  corresponding  instance  of  the  left  hand  side  is 
%(F.NQUEllt(Creatc.  i)).  Therefore.  Add_st_head(  Enqueue  jG(Cimtc).  3G(I)).  k)  expands  to 
A«M_aUiead(3G(ENQUEUE(Crcate.  i)).  k)  by  the  rule. 

The  first  synthesis  rule  specifics  a  way  of  generating  a  theorem  from  an  expression 
with  that  expression  as  the  left  hand  side.  In  the  following  c*  denotes  the  normal  form  of  e 
obtained  using  t*W.®  (The  normal  form  of  e  is  the  result  of  reducing  it  using  the  rewrite  mles 
of  PW  until  it  becomes  irreducible.) 


5.  The  definition  of  expansion  will  be  revised  later  in  chapter  4  to  make  it  more  general  According  to 
the  definition  given  here,  expansion  is  identical  to  the  transformation  technique  folding  used  by 
Darlington  |7J  for  synthesis  of  recursive  programs. 

6.  PW  is  a  convergent  system.  Therefore,  every  expression  is  guaranteed  to  have  a  unique  normal 
form. 


Rule  1: 


c  is  an  expression 

t  E  Cl 


The  second  synthesis  rule  specifics  how  to  generate  a  theorem  from  an  existing  one 
so  that  the  new  theorem  has  the  same  left  hand  side  as  the  old  one.  In  the  following 
cxpand(e2)  denotes  any  expression  that  is  an  expansion  of  c2  using  some  rewrite  rule  of  PW. 

e,  a  e. 

Rule  2‘  t,  s  expandfe^) 

We  investigate  two  methods  in  which  the  synthesis  rules  can  be  used  for  deriving  a 
synthesis  equation.  The  first  method  derives  synthesis  equations  that  are  in  the  equational 
theory  of  PW.  The  second  method  derives  equations  that  are  in  the  inductive  theory.  The 
second  method  is  more  general  than  the  first  one.  A  system  that  implements  the  synthesis 
procedure  would,  therefore,  use  only  the  second  method.  We  discuss  them  separately  for 
pedagogic  reasons. 


111.3.1  Derivation  in  the  EqualionalTheory 


As  an  illustration,  let  us  derive  a  synthesis  equation  that  is  of  the  form 
%( ENQUEUE^ I *sert(c.  IX  j))  *  DCfTrhsp.  The  equation  is  derived  by  generating  a  series  of 
theorems  that  have  %(ENQUEUE(lasert(c,  fX  J))  as  their  left  hand  side.  The  generation  is 
begun  by  invoking  synthesis  nile(l)  on  the  left,  hand  side  expression.  The  rest  of  the 
theorems  in  the  series  arc  generated  by  invoking  synthesis  rule  (2)  using  the  rewrite  rules  of 
PW  for  expansion.  The  rewrite  rules  for  expansion  are  chosen  with  the  following  ultimate 
goal:  Obtain  a  right  hand  side  that  has  the  form  XChrfcSj)  so  that 
!K(ENQlJEU£(lMeTl(c,iXj))>-  XfTrtaj).  and  TrhSj  contains  only  the  implementing 
functions  and  the  permitted  operations  of  the  implementing  types.  In  the  illustration  given 
below,  the  generation  of  every  theorem  in  the  series  is  considered  as  a  step.  At  each  step,  the 
expression  expanded,  and  the  rewrite  rule  used  for  expansion  are  indicated.  The  relevant 
rewrite  rules  of  PW  that  are  going  to  be  used  for  expansion  are  listed  at  the  beginning. 
Rule  (1)  is  the  X-rule  coresponding  to  Enqueue;  rules  (2)  through  (5)  are  obtained  from  the 
association  specification. 


i 
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Rclcvant  Rewrite  Rules  of  the  Perturbed  World 

( 1 )  3C(KNQUKUK(c.  j))  -*  Knqucuc(DG(i).  Dt(j» 

(2)  E)G(Crcutc)  — *  Nullq 

(3)  3€<lnscrt(c.  i))  -  Add.al_hcad(3C(c).  K(i)) 

(4)  Add_at_hcad(  Nullq,  I)  — *  Enqueue! Nullq.  I) 

(5)  Add_at_hcad<  Enqueue!  q,  I),  j)  -»  Km|ueuc(Add_at_hcad(q,  j),  i) 

Form  of  the  theorem  to  be  generated:  GG(  ENQU  KU  K(lnsert(c.  i),  j))  =  DC(?rtis1) 

Normal  fonn  of3G<ENQUKUE(lnscrt(c.  i),  j»:  KnqucuWAdd_at_head(DG(c).  3G(i)).  3G(j)) 
Rules  used  for  the  normal  form:  (1),  (3) 

Step  (1)  Invoke  Synthesis  Rule  (1)  on  3G(KNQUKUK(lnscrt(c,  i),  j)) 

DG(KNQU KU E(l nsert (c,  i).  j))  =  Knqueue(Add_at  Jtcad(3G(c),  3G(i)),  3G(j)) 


Step  (2)  Expand  I  Expression:  Enqueue!  Add_at_head(DG(c),  3G(i».  3G(|» 

Using  Rule:  (5) 

%(KNQL)KUK(lnscrt(c,  i).  Jl)  ■  Add_at_hcad(Knqueue<D&(C),  3G(j)).  3€(i)) 


Step  (3)  Hxpai. J  Kxpression:  Faiqueuc(3G(c),  %(j» 
Using  Rule:  (1) 


36(KNQUKUHInscrt(c.  i),  j»  =  Add_at_head<%(KNQlJKUK(c.  j)K  DG(i)) 


Step  (4)  Expand  Expression:  Add_at_hcud!3G(ENQUEUE!c.  j)).  3G(i)) 
Using  Rule:  (3) 


36(ENQUEUf(lnscrt(c. i),j)) a  K(lnscrt(ENQUEUE<c, j), D) 


The  theorem  generated  in  step  (4)  qualifies  to  be  a  synthesis  equation.  Hence  the  desired  rule  of  the 
preliminary  implementation  is: 

ENQUEUEfliuertfc.  j).j)  _*  Insert(ENQUEUE(c,  j),  I) 

One  can  similarly  generate  a  theorem  of  the  form  3G(ENQUEUKXCrcatc,  j)J  z  DG(lnsert(Crcate,  j)), 
which  gives  rise  to  the  following  rewrite  rule  to  complete  the  preliminary  implementation  for 
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KNQUKUK: 

KNQUKlJK(Creatc.  j)  — ♦  I  nsert  (Create,  j) 


2.2. 1.3.2  Derivation  in  the  Inductive  Theory 

The  method  used  for  deriving  a  synthesis  equation  in  the  inductive  theory  is  based 
on  the  following  property  that  every  theorem  of  PW  satisfies:  If  an  equation  is  a  theorem  of 
PW.  then  every  instance  of  it  is  in  the  equational  theory  of  PW.  An  instance  of  an  equation 
e(  =  e2  is  an  equation  obtained  by  replacing  every  variable  in  ej  and  c2  by  generator 

7 

constants. 

We,  therefore,  take  the  following  approach  for  deriving  an  equation  in  the  inductive 
theory.  First  derive  an  instance  of  the  desired  equation;  the  method  of  derivation  described 
earlier  can  be  used  for  this  purpose.  The  instance  of  the  equation  derived  should  be  such  that 
a  generalization  of  it  has  the  form  of  the  desired  synthesis  equation,  and  is  a  theorem  of  PW. 
A  generalization  of  e,  s  e2  is  an  equation  obtained  by  replacing  assorted  constants  in  e,  and 
e2  by  suitable  variables.  To  check  if  the  generalization  is  a  theorem  of  PW,  we  use  an 
automatic  procedure  called  is-an-inductive-thcorem-of.  The  procedure  is  an  extension  of  the 
method  of  using  the  Knuth-Bcndix  completion  algorithm  for  proving  inductive  properties  of 
convergent  rewriting  systems  [28,  38,  22].  The  procedure  is  described  in  chapter  4, 

As  an  illustration  let  us  derive  a  synthesis  equation  of  the  form 
%(APPEND(c,  lnsert(d,i )))  =  %(?rhs2)  which  gives  rise  to  one  of  rules  in  the  preliminary 
implementation  of  Append.  We  begin  by  deriving  an  instance  determined  by  the  replacement 
of  the  variable  d  by  the  constant  Create,  and  then  apply  generalization. 

Relevant  Rewrite  Rules  of  the  Perturbed  World 

(10)  Append(q,  Nullq)  — » q 
(14)  3C(Create)  — *  Nullq 


7.  A  generator  constant  is  an  expression  formed  out  of  generators,  and  does  not  contain  any  variables. 


-27- 


(20)  3G(F.NQUKUK(c,  i))  -  Knqutuc(W(c),  3G(i)) 

(22)  3G(APPKNl)(c,  d))  -  Appcnd(DG(c),  ‘Mi)) 

Form  of  the  theorem  to  be  generated:  ‘JG(APPFNIHc.  lnserl(Creatc,  i)))  =  36(7c) 

Normal  form  of  DG(APPKNI)(c,  lnscrt(Crcatc,  i))):  Knqucuc(3G(c),  3G(i)) 

Rules  used  for  the  normal  form: 

Step  (1)  Invoke  Synthesis  Rule  (\)  on  3G(APPF.NI>(c.  lnscrt(Crcate,  i))) 

%(APPKNI)(c.  lnsert(Creatc.  i»)  =  Enqueue!  3C(c).  D€(i» 

Step  (2)  Kxpand  Hxpression:  3G(APPF.NI)(c,  Insert(Crcate,  i))) 

Using  Rule:  (10) 

3G(APPKNI)(c.  I nser ((Create,  i»)  =  Append(F.nqucue(3&<c),  3G(i)),  Nullq) 

Step  (3)  Kxpand  Hxpression:  Nullq 
Using  Rule:  (14) 

3G(APPF,NI)(c,  Insert  (Create,  i)))  &  Appcnd(Knqucue(3G(c),  3G(i»,  DG(Crcate)) 

. 

Step  (4)  Expand  Expression:  F.nqucuc(3G(c),  3G(r)) 

Using  Rule:  (20) 

3G(APPEND(c,  lnscrt(Creatc, »)))  =  Appcnd(3G(F.NQUFUF(c,  i)),  3G<Creatc)) 

Step  (5)  Expand  Expression:  Append(3G(ENQUEUK(c,  i)),  3G(Crcatc)) 

Using  Rule: 

36(APPENlHc,  Inscrt(Crcatc,  i)))  =  DG(A  PPKN  D(ENQUEUK(c.  i),  Create)) 

Step  (6)  Generalize  the  theorem  in  step  (5)  by  replacing  the  constant 
Create  by  the  variable  d  to  obtain  the  following  equation: 

3G(APPENI)(c,  Insert(d,i )))  =  3G(  A  PPF.N  D(  ENQU  EUE(c,  \\i)) 

Apply  is-an-inductivc  theorem-of  on  the  above  equation. 

This  yields  True  confirming  that  the  equation  is  a  theorem 
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Hcncc  die  desired  rule  (obtained  by  dropping  DC  on  both  sides)  is: 

API’KNI)(c,  Inscrt(d,i ))  -  A  1‘PKN  1 )( KNQU KU K(c,  i),  d) 

One  can  similarly  generate  a  theorem  of  the  form  DG(AI‘l>K.Nl)(Create,  d))  =  3G(d)  which  gives  rise  to 
the  following  rewrite  rule  to  complete  the  preliminary  implementation  of  APPEND. 

APPKND(Crcatc,  d)  -  d 


2.2.2  Slagc2:  Derivation  of  the  Target  Implementation 

In  the  second  stage  of  die  synthesis  procedure,  the  preliminary  implementation  is 
transformed  into  a  target  implementation.  It  should  be  noted  that  the  preliminary 
implementation  is  itself  an  executable  implementation.  It  can  be  executed  by  an  interpreter 
that  is  capable  of  simplifying  algebraic  expressions  using  the  equations  in  the  specifications  of 
data  types  as  rewrite  rules.  The  data  type  verification  system  AFFIRM  [39]  provides  such  an 
interpreter.  Given  the  specifications  of  all  the  implementing  types,  the  interpreter  can 
execute  the  preliminary  implementation  on  any  given  input  Our  goal  is  to  derive  the  target 
implementation  in  a  form  that  can  be  compiled  by  a  compiler  for  an  applicative  language. 
There  are  two  reasons  why  a  target  implementation  is  more  efficient  than  a  preliminary 
implementation.  The  first  one  arises  because  of  the  freedom  to  use  nongencrators  of  the 
representation  type  in  a  target  implementation.  This  makes  it  possible,  in  some  instances,  to 
eliminate  recursion  from  a  preliminary  implementation  of  an  operation,  and  to  transform  into 
one  which  is  a  composition  of  the  operations  of  the  implementing  types.  The  second  reason 
is  that  an  implementation  that  can  be  compiled  by  means  of  a  conventional  compiler  is  in 
general  more  efficient  than  interpreting  a  set  of  rewrite  rules.  We  investigate  two  methods  of 
transforming  a  preliminary  implementation  into  a  target  implementation.  We  describe  each 
of  them  briefly  below.  The  first  method,  although  less  efficient  than  the  second,  derives  a 
larger  set  of  implementations. 
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2.2.2. 1  Recursion  Eliminating  Method 

According  to  this  method  the  problem  of  deriving  a  target  implementation  is  viewed 
as  finding  a  composition  f*  of  the  operations  of  the  implementing  types  and  the 
implementing  functions  (possibly  including  the  if_then_else  function)  that  has  die  same 
functional  behavior  as  the  implementing  function  F  defined  by  the  preliminary 
implementation.  For  example,  the  composition  Rotatc(lnsert(d,  k))  has  the  same  behavior  as 
the  function  ENQUEUE  defined  by  die  rewrite  rules  of  the  following  preliminary 
implementation: 

ENQUEUE(Crcatc,  j)  -*  lnscrt(Crcate,j) 

ENQUEUE(lnscrt(c,  i),  j)  -  !nscrt(ENQUEUE(c,  j),  i) 

So,  the  following  can  be  a  target  implementation  for  it: 
ENQUEUE(d,  k)  ::=  Rotatc(lnscrt(d,  k)).  Note  that  the  target  implementation  docs  not  use 
recursion. 

More  formally,  the  problem  can  be  stated  as  follows:  Find  a  composition  f*  so  that 
the  equations  obtained  by  substituting  I*  for  ENQUEUE  in  the  rewrite  rules  are  theorems  of 
the  implementing  types.  The  equations  for  ENQUEUE  arc  given  below.  Note  that,  in 
obtaining  the  following  equations,  the  two  sides  of  die  rewrite  rules  are  interchanged  after 
replacing  ENQUEUE  by  I*.  The  need  for  the  interchange  will  be  explained  later. 

(1)  lnscrt(Crcate,  j)  =  !*(Creatc,  j) 

(2)  lnscrt(l*(c,  j),  i)  =  !*(lnsert(c,  i),  j) 

We  use  the  following  strategy  to  find  a  solution  for  f*.  We  generate  a  theorem  of 
the  implementing  types  using  one  of  the  above  equations  as  a  template.  For  generating  such 
a  theorem  we  use  the  synthesis  rules  mentioned  earlier.  However  this  time,  since  we  are 
interested  in  the  theorems  of  the  implementing  types,  the  rewrite  rules  in  the  specification  of 
the  implementing  types  are  used  for  expansion.  The  theorem  generated  determines  a 
candidate  for  I*.  The  goal  is  to  generate  a  theorem  so  that  the  candidate  for  f*  detcmiined  by 
the  theorem  also  satisfies  the  other  equation.  For  instance,  the  sequence  of  steps  given  below 
generates  a  theorem  that  has  the  form  of  equation  (1). 


Rewrite  Rules  of  C'irc_I,ist 


(3)  RotatcfCreate)  -♦  Create 

(4)  Rotalc<lnsert(Crcatc,  i))  — *  lnscrt(Creatc.  i) 

(5)  Rotate(lnscrt(liisert(c.  il),  iZ))  — *  lnscrt(Rotatc(insert(c,  i2)),  il) 


Form  of  the  theorem  to  be  generated:  lnscrt(Creatc,  j)  =  f*(Crcate,  j) 
Nonnal  form  of  lnsert(Crcatc,  j):  lnsert(Crcatc,  ]) 

Rules  used  for  the  nonnal  form:  None 

Step  (1)  Invoke  Synthesis  Rule  (1)  on  lnscrt(Creatc,  j) 

InsertfC'reate,  j)  —  lnsert(Creatc,  j) 


Step  (2)  Hxpand  Fxpression:  InserRCrcate,  j) 

Using  Rule:  (4) 

InsertfCrcatc,  j)  =  Rotate(lnscrt(Crcatc,  j) 


The  last  theorem  generated  in  the  above  series  suggests  that  Rotatc(lnscrt(d,  k»  is  a 
candidate  for  l*(d.  k).  The  candidate  composition  can  be  determined  mechanically  by 
comparing  the  theorem  generated  with  the  template  equation.  The  candidate  we  currently 
have  is  such  that  the  equation  Rotate(lnsert(lnsert(c,  i),  j))  =  lnscrt(Rotatc(lnsert(cJ»,  i), 
which  is  obtained  by  replacing  f*  by  Rotate  «  Insert  in  equation  (2).  is  a  theorem  of  Circ_List. 
Had  the  candidate  obtained  in  the  last  step  not  satisfied  equation  (2).  the  theorem  generation 
would  have  continued  further  to  generate  another  theorem  that  had  the  form  of  equation  (1). 

The  reason  that  the  first  equation,  rather  than  the  second,  was  used  as  the  template 
equation  is  the  following.  The  synthesis  rules  are  formulated  so  that  the  unknown  expression 
in  the  equation  to  be  searched  for  is  on  the  right  hand  side.  In  equation  (2)  both  sides  are 
unknown  since  f*  occurs  on  both  the  sides.  That  is  not  the  case  with  equation  (1).  This  was 
also  the  reason  for  interchanging  the  two  sides  of  the  rewrite  rules  while  obtaining  the 
template  equations.  In  the  example  illustrated  the  theorem  desired  was  in  the  equational 
theory.  In  general,  we  need  to  use  the  generalization  technique  described  earlier  since  the 
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theorcm  may  be  in  the  inductive  theory. 

12.2.2  The  Recursion  Reserving  Method 

In  this  method  the  target  implementation  is  derived  with  the  help  of  a  special  set  of 
functions,  called  the  inverting  functions on  the  representation  type.  To  understand  what 
inverting  functions  are,  and  why  there  are  useful,  let  us  consider  an  example.  The 
preliminary  implementation  of  SIZE  consists  of  the  following  rules: 

SIZE(Create)  -  0 

SIZtXloscrt(c,  i))  -  SIZE(c)  +  I 

A  target  implementation  for  SIZE  may  take  the  following  form: 

SIZtXd)  ::  =  If  F.mpty(d)  then  0 

else  SIZE(Rcmovc(d))  +  1 

Note  that  in  the  preliminary  implementation  the  argument  to  SIZE  on  the  left  hand 
side  of  a  rule  is  permitted  to  be  a  generator  expression.  The  argument  indicates  the  pattern  or 
the  structure  of  the  expression  that  constructs  the  values  for  which  the  rewrite  rule  is 
applicable.8 9  This  freedom  is  used  in  a  preliminary  implementation  to  perform  a  case  analysis 
based  on  the  structure  of  the  argument,  and  to  decompose  the  argument 

In  a  target  implementation  the  argument  to  SIZE  on  the  left  hand  side  of  the 
definition  must  be  a  variable.  This  means  that  the  expression  on  the  right  hand  side  of  the 
definition  must  have  explicit  subexpressions  for  determining  the  structure  of  the  argument 
and  to  decompose  the  argument  Inverting  functions  of  a  data  type  can  be  used  to  build  these 
subexpressions. 

Informally  speaking,  the  inverting  functions  of  a  data  type  arc  functions  that  can  be 


8.  Inverting  functions  are  closely  related  to  distinguished  functions  of  a  data  type  defined  in  [24).  In 
[24]  the  distinguished  functions  are  used  to  formalize  the  expressive  power  of  a  data  type. 

9.  If  we  arc  interested  in  interpreting  the  preliminary  implementation,  it  is.  therefore,  necessary  for 
the  interpreter  to  have  pattern  matching  capability  to  invoke  the  appropriate  rewrite  rule  while 
simplifying  an  expression. 


A 
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uscd  10  algorithmically  invert  the  process  of  constructing  a  value  of  the  type  from  the  \ 

generators  of  the  type.  In  other  words,  by  applying  one  or  more  of  the  inverting  functions  a  ■ 

finite  number  of  limes  on  a  value  one  can  determine  a  generator  expression  that  constructs  < 

the  value.  For  instance,  for  Circjdst  the  operations  Rotate,  Value,  and  Empty  can  serve  as  a 

set  of  inverting  functions.  The  structure  of  any  circular  list  value  in  terms  of  Create  and 

Insert  can  be  determined  using  these  operations.  For  instance,  if  v  is  a  vatiable  denoting  the 

value  constructed  by  lnsert(c,  j),  then  Rcniovc(v)  extracts  the  component  c:  -Empty(v)  checks 

if  v  is  constructed  by  an  expression  of  the  form  lnscrf(c,j).  So,  the  rewrite  rules  can  be 

merged  into  the  following  conditional  expressions: 

if  Empty(d)  then  0  else  SIZEfRemovc(d)) + 1. 

The  target  implementation  is  derived  in  two  steps.  The  first  step  identifies  a  set  of 
inverting  functions  for  the  representation  type.  In  the  second  step  the  rewrite  rules 
constituting  the  preliminary  implementation  of  every  operation  arc  transformed  into  a  target 
implementation  in  terms  of  the  inverting  functions.  The  method  is  described  in  detail  in 
chapter  6. 

2.2.3  Extending  the  Synthesis  Procedure 

Consider  the  association  specification  given  in  Fig.  6.  It  specifies  a  representation 
scheme  for  implementing  Queue Jnt  as  a  triple  Array _lnt  X  Integer  X  Integer,  which  can 
informally  be  described  as  follows.  (Array Jnt  is  specified  in  the  next  chapter  which  also 
describes  the  association  specification  shown  below  in  more  detail.)  Nullq  can  be  represented 


Fig.  6.  Queue  Jnt  in  terms  of  Triple 
J«v,  i.  i>)  =  Nullq 

U(<Assign<v,  c,  j),  i,  j+ 1>)  =  ifi  =  j+1  then  Nullq 

else  F.nqucuc<^(<v.  i,  j>),  e) 

3(<v,  i,  i>)  a  True 

3(<Assign(v,  e.  j).  i,  j+ 1>)  e  if  i  =  j+1  then  True 

clseifi£j+1thenJ«v,i,J>) 
else  False 
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by  any  triple  in  which  the  two  integer  components  are  equal.  A  nonempty  queue  can  be 
represented  by  a  triple  <v,  i,  j>,  where  v  is  an  array  of  arbitrary  length  containing  the  elements 
of  the  queue  between  the  index  values  i  and  j-l,  in  order.  In  other  words,  i  points  to  the  front 
end  of  the  queue,  and  j  points  to  the  next  position  available  in  the  queue  for  adding  an 
clement.  Note  that  in  this  example,  unlike  die  last  one,  not  every  value  of  the  representation 
type  cin  legally  represent  a  queue.  A  triple  <v,  i,  j>  is  a  legal  representation  value  if  only  if 
i  <  j.  and  v  is  guaranteed  to  be  defined  on  all  index  values  between  i  and  j-l.  'Hie  invariant  3 
in  Fig.  6  specifies  this  condition. 

The  synthesis  the  presence  of  a  nontrivial  invariant  3  has  to  be  performed  differently 
because  the  implementation  must  be  such  that  every  implementing  function  F  defined 
preserves  3:  That  is.  (V  v)|3(v)  =>  3(F(v))|. 

The  synthesis  procedure  for  such  a  situation  is  similar  to  the  one  described  earlier 
except  for  the  method  employed  in  determining  the  right  hand  sides  of  the  rules  of  a 
preliminary  implementation.  The  difference  lies  in  the  set  of  rewrite  rules  used  for  expansion 
while  generating  the  theorems.  Earlier,  the  rewrite  rules  of  PW  were  used,  but  now  it  is 
necessary  to  use  an  additional  set  of  rewrite  rules.  The  additional  rewrite  rules  describe 
information  pertaining  to  the  invariant  3.  and  the  assumption  that  the  arguments  to  the 
implementing  function  satisfy  the  invariant  The  information  pertaining  to  3  is  maintained  as 
a  separate  entity  called  the  Temporary  World.  Chapter  5  describes  how  the  Temporary  World 
is  constructed,  maintained,  and  used  in  the  synthesis  of  an  implemenation. 

2.3  The  Scope  of  the  Synthesis  Procedure 

The  scope  of  the  synihesis  procedure  is  limited  because  of  two  reasons.  Firstly,  the 
restrictions  imposed  on  the  input  specifications  limit  the  range  of  data  type  specifications  that 
are  acceptable  as  inputs  to  the  procedure.  Secondly,  the  synthesis  procedure  is  capable  of 
deriving  only  a  class  of  implementations  that  satisfy  certain  properties.  We  describe  the  two 
forms  of  limitations  below. 
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2.3.1  Restrictions  on  the  Inputs 

The  input  specifications  must  be  such  that  the  Initial  World  (IW).  which  is  a 
combination  of  all  the  specifications,  forms  a  rewriting  system  (hat 

(1)  has  the  uniform  termination  property. 

(2)  has  the  unique  termination  property,  and 

(3)  is  well-spanned. 

The  second  and  the  third  properties  are  not  restrictive  because  they  can  be  attained 
by  adding  certain  additional  rewrite  rules  to  the  system.  There  arc  automatic  procedures  [28. 
38.  22]  for  determining  the  rules  that  need  to  be  added,  provided  the  system  satisfies  the 
uniform  termination  property. 

The  uniform  termination  property  can  be  restrictive.  Jt  is.  in  general,  not  possible  to 
express  all  the  properties  one  wishes  to  specify  in  a  manner  that  preserves  the  uniform 
termination  property.  For  example,  consider  the  data  type  Sct_of_Htemcnts  that  has  an 
operation  Insert  to  insert  an  element  into  a  sel  To  express  the  property  that  the  order  of 
insertion  of  elements  into  a  set  is  immaterial,  it  is  necessary  to  have  a  rewrite  role  of  the  form 
lnscrt(lnsert(s,  1),  j)  -•  lnscrt(lnsert(s,  j),  I)  as  a  part  of  IW.  A  system  containing  this  kind  of 
rule  need  not.  in  general,  terminate  because  the  rule  does  not  strictly  reduce  an  expression. 

One  way  of  getting  around  this  problem  is  to  exclude  the  concerned  rulc(s)  from 
IW.  However,  there  are  two  reasons  why  one  may  not  want  to  do  this.  Firstly,  the  mle  might 
be  needed  to  attain  the  second  and  the  third  properties  mentioned  above.  In  such  a  situation 
excluding  the  rule(s)  makes  the  input  unacceptable.  The  second  reason  is  that  omitting  the 
rule  may  leave  the  specification  incomplete.10  The  method  used  by  the  synthesis  procedure 
docs  not  require  the  specifications  to  be  complete,  90  the  input  (excluding  the  concerned  rule) 
in  this  case  is  acceptable.  But  the  procedure  will  not  be  able  to  derive  an  implementation  that 
is  dependent  on  the  property  expressed  by  the  rule. 


10.  Wc  use  the  following  notion  of  completeness:  A  specification  is  complete  if  all  the  properties  that 
are  valid  for  the  data  type  arc  provable  from  the  specification. 


13.2  The  C  lass  of  Implementations  Derived 


There  arc  three  factors  that  are  responsible  fur  limiting  the  class  of  implementations 
derived  by  the  procedure.  The  first  is  related  to  the  subset  of  the  proof  theory  of  the  input 
specifications  in  which  the  synthesis  procedure  operates.  The  procedure  can  only  derive 
those  implementations  whose  correctness  proof  is  within  the  operational  pan  of  die  theory. 
The  operational  part  of  the  theory  comprises  the  subset  of  the  inductive  theory  that  is  decided 
by  the  Musser/Knuth'Bcndix  method  (38)  of  proving  inductive  properties. 

The  second  limiting  factor  is  the  termination  ordering  >.  The  synthesis  procedure 
assumes  liiat  an  effective  ordering  is  implicitly  available  to  be  used  in  ensuring  the 
tcnninalion  of  the  implementation.  So.  the  procedure  can  only  derive  those  implementations 
whose  termination  can  be  proved  using  the  ordering  The  more  general"  the  ordering  >-. 
the  larger  is  the  class  of  implementations  that  can  be  derived. 

The  third  reason  is  that  the  implementations  derived  may  not  involve  arbitrary 
helping  functions.  The  synthesis  procedure  is  not  capable  of  automatically  discovering  a 
helping  function  that  might  be  necessary  in  an  implementation.  The  user  has  to  furnish  a 
specification  of  the  helping  function  as  a  part  of  the  Initial  World  if  he  wishes  an 
implementation  in  terms  of  the  helping  function. 

13.3  Effects  of  Using  (he  Procedure  Outside  its  Scope 

Using  the  procedure  on  a  specification  that  does  not  satisfy  the  uniform  termination 
property  may  result  in  infinite  looping.  This  is  because,  under  such  a  circumstance,  there  can 
be  expressions  for  which  a  normal  form  does  not  exist  The  effect  of  a  violation  of  the  unique 
termination  property  depends  on  how  serious  the  violation  is.  If  the  violation  implies  that  the 
system  is  inconsistent  then  the  procedure  may  derive  an  incorrect  implementation.  However, 
if  the  system  is  consistent  despite  the  violation,  the  effect  will  only  be  a  reduction  in  the  class 
of  implementations  that  the  procedure  can  derive.  It  should  be  noted  that  all  three  of  the 


1 1.  An  ordering  is  considered  to  be  more  general  |23J  than  >~i  if  j  contains  >2.  That  is. 
relates  a  larger  set  of  expressions  than  >-j. 


properties  required  of  the  inputs  can  be  checked  automatically  (assuming  that  a  termination 
ordering  >-  is  available). 
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3.  Inputs  to  the  Synthesis  Procedure 

This  chapter  has  four  sections.  The  first  section  defines  data  types  and  their 
specification.  The  second  section  describes  the  association  specification.  The  third  section 
characterizes  the  restrictions  on  the  inputs.  The  last  section  describes  proving  properties  of 
data  types  from  the  specifications. 

3.1  Data  Types  and  their  Specification 

3.1.1  Preliminary  Concepts 

A  data  type  consists  of  a  set  (perhaps  infinite)  of  values,  called  (he  value  set .  and  a 
finite  set  of  operations,  allied  the  operation  set.  The  only  way  in  which  the  values  of  a  data 
type  can  be  constructed,  manipulated  or  observed  is  through  the  operations  of  the  data  type. 

The  behavior  of  a  data  type  is  usually  dependent  on  several  other  data  types.  These 
data  types  appear  as  a  part  of  the  domain  or  as  the  range  of  the  operations  of  the  data  type 
under  consideration.  We  call  these  other  data  types  the  defining  types ;  the  data  type  under 
consideration  is  referred  to  as  the  type  of  interest  (TOI).  If  the  TOI  is  the  one  that  is  being 
implemented,  we  refer  to  it  as  the  implemented  type.  The  type  that  is  used  to  represent  the 
implemented  type  is  called  the  representation  type.  The  defining  types  of  the  representation 
type  arc  called  the  ancillary  types.  The  union  of  the  representation  type  and  the  ancillary 
types  is  called  the  set  of  implementing  types  For  example,  the  defining  types  of  the  data  type 
Queue  Jnt  specified  in  Fig.  7  are  Integer  and  BooL 

A  data  type  has  two  kinds  of  operations.  A  constructor  is  an  operation  that  yields  a 
value  of  the  TOI.  and  an  observer  is  an  operation  that  yields  a  value  of  a  defining  type.  For 
Queue  Jnt,  the  operations  Nullq,  Enqueue.  Dequeue,  and  Append  arc  ail  constructors;  the  rest 
of  the  operations  are  observers. 

We  treat  the  exceptional  behavior  of  a  data  type  in  a  simplified  fashion.  We  assume 
that  every  data  type  has  a  unique  exceptional  value  that  is  constructed  by  the  operation  Error 
belonging  to  the  type.  The  value  ErroK )  is  treated  like  any  other  value  of  the  type  except 
that  it  has  the  following  unique  property.  Every  operation  is  assumed  to  be  strict  with  respect 
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to  Error( ):  Every  operation  f  is  such  that  when  applied  to  Enor( )  from  any  of  its  domain 
types  it  yields  the  exceptional  value  of  the  range  type  of  f.  We  assume  that  every  operation  f 
is  a  total  function:  That  is,  f  is  defined  on  every  element  of  its  domain  yielding  either  an 
exceptional  value  or  a  normal  value  from  its  range  type. 

The  requirement  on  a  data  type  that  its  values  be  manipulated  only  b>  its  operations 
translates  to  requiring  that  its  values  be  constructed  only  by  its  constructors,  possibly  using 
the  values  of  its  defining  types.  Furthermore,  in  a  computer  the  values  can  be  constructed 
only  by  a  finite  sequence  of  operations,  so  the  value  set  of  a  data  type  is  the  smallest  set  closed 
under  finitely  many  applications  of  its  constructors.  This  property  of  a  data  type  is  called  the 
minimality  property  [25]. 

A  subset  of  constructors  is  said  to  be  complete  if  every  value  of  the  TOI  can  be 
constructed  by  some  composition  of  the  constructors  in  the  subset  (possibly  using  values  of 
the  defining  types).  A  basis  for  a  data  type  is  a  complete  set  of  constructors  that  is  minimal, 
i.e..  no  subset  of  a  basis  is  complete.  A  data  type  may  have  more  than  one  basis.  {  Nullq, 
Enqueue }  is  a  basis  for  Qucuc.lnt  since  all  queues  can  be  generated  using  Nullq  and 
Enqueue,  and  no  subset  of  it  can  do  so. 

An  expression  (or  a  term)  is  a  sequence  of  operations  and  variables  denoting  an 
application  of  the  operations  to  the  variables.  The  type  of  an  expression  is  the  range  type  of 
the  operation  symbol  that  appears  at  the  outermost  level  of  the  expression.  A  constant  is  an 
expression  that  docs  not  contain  any  variables.  For  example.  Dequcuc(Enqucuc(q,  e»  is  an 
expression  of  type  Queuejnt;  it  is  not  a  constant  since  it  contains  variables. 
Dcqucuc(Enqucuc(Nu!!q,  0))  is  a  constant  of  type  Queuejnt. 

3.1.2  Definition  of  a  Data  Type 

The  only  way  in  which  the  values  of  a  data  type  can  be  manipulated  is  through  the 
operations  of  the  type.  We  define  a  data  type  so  as  to  capture  the  behavior  of  the  type  as 
viewed  through  the  operations  of  the  type.  This  behavior  is  called  the  observable  behavior  of 
the  data  type.  This  method  of  definition  was  advocated  by  Guttag  [16],  and  later  developed 
by  Kapur  [25],  According  to  this  view,  the  values  of  a  data  type  are  distinguishable  only  by 
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ineans  of  the  operations  of  the  type. 

Heterogeneous  algebras  provide  a  natural  means  of  modeling  the  behavior  of  a  data 
type.  A  heterogeneous  algebra  that  can  be  used  to  model  a  data  type  is  defined  recursively  in 
terms  of  the  algebra  that  is  used  to  model  each  of  its  defining  types.  The  basis  of  this 
recursion  is  the  type  Bool  which  docs  not  have  any  defining  types. 

A  heterogeneous  algebra  for  a  data  type  D,  consists  of  (i)  a  domain  corresponding  to 
D.  which  is  called  the  principal  domain,  (ii)  a  domain  corresponding  to  every  defining  type  of 
D,  (iii)  a  function  corresponding  to  every  operation  of  D.  Ilic  elements  of  the  principal 
domain  arc  used  to  denote  the  values  of  l>.  The  minimality  property  of  a  data  type  requires 
that  every  element  of  the  domains  of  the  algebra  be  constructive  by  a  finite  number  of 
applications  of  the  constructors  of  the  appropriate  type.  Any  heterogeneous  algebra  that  has 
the  appropriate  signature,  and  that  exhibits  the  desired  observable  behavior  can  be  used  to 
model  the  data  type.  Hence,  we  define  a  data  type  as  a  set  of  heterogeneous  algebras  that 
exhibit  the  same  observable  behavior.  Every  algebra  in  the  set  is  said  to  be  a  model  of  the 
data  type.  The  elements  of  the  principal  domain  are  called  the  values  (of  D)  in  that  model. 
Below  we  formally  characterize  the  observable  behavior  of  a  heterogeneous  algebra. 

The  observable  behavior  of  a  model  is  characterized  in  terms  of  the 
distinguishability  relation  on  the  values  of  the  model.  The  distinguishability  relation  is 
defined  inductively  in  terms  of  the  distinguishability  of  the  values  of  the  defining  types.  That 
is.  we  assume  that  the  distinguishability  relation  is  already  defined  the  domain  corresponding 
to  each  of  the  defining  types.  (The  basis  of  this  induction  is  the  data  type  Bool  that  does  not 
have  any  defining  types:  the  only  two  values.  True  and  False  of  Bool  are  assumed  to  be 
distinguishable.)  Two  values  of  a  model  are  distinguishable  if  and  only  if  there  is  a  sequence 
of  operations  of  D  with  an  observer  as  the  outermost  operation,  that  produces  distinguishable 
results  when  applied  separately  on  the  values.  If  two  values  are  not  distinguishable,  they  are 
observably  equivalent.  For  instance,  the  Queue Jnt  values  constructed  by  Enqucuc(Nulk),  0) 
and  Append(Nullq,  Enqueue(Nulk).  0))  are  observably  equivalent;  but  the  ones  constructed  by 
Eoqueue(Nullq,  0)  and  Dequcuc(Enqueuc(lSul)q,  0»  are  distinguishable.  Observable 
equivalence  is  an  equivalence  relation. 
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Dcfinitioi)  Two  n)odels  are  behaviorally  equivalent  if  their  quotient  models  induced  by  the 
observable  equivalence  relations  are  isomorphic  to  each  other. 

Definition  A  data  type  is  a  set  of  behaviorally  equivalent  heterogeneous  algebras. 

3.1.3  Specification  of  a  Data  Type 

The  specification  of  a  data  type  is  a  piece  of  text  in  a  formal  language.  It  describes  a 
set  of  properties  concerning  the  operations  of  the  data  type.  The  aim  of  writing  a 
specification  is  to  characterize  through  the  specification  the  observable  equivalence  relation 
that  defines  the  data  type. 

It  has  been  observed  [17]  that  the  construction  of  an  algebraic  specification  for  a 
data  type  is  rendered  easier  and  more  reliable  (in  the  sense  that  one  has  increased  confidence 
in  the  consistency  and  completeness  of  the  specification)  by  using  a  basis  of  the  data  type  as  a 
guide  for  constructing  the  specification.  We  assume  that  all  our  specifications  arc  constructed 
in  this  fashion.  The  operations  belonging  to  the  basis  of  a  specification  are  called  the 
generators  of  the  specification.  An  operation  that  is  not  in  the  basis  is  called  a  non-generator. 
Note  that  all  generators  are  constructors;  non-generators  may  be  constructors  or  observers. 

Throughout  the  development  when  we  refer  to  the  basis  or  the  generators  of  a  data 
type  involved  in  the  synthesis,  we  actually  mean  the  basis  or  the  generators  associated  with 
the  specification  of  the  data  type  being  used  as  an  input  to  the  synthesis  procedure. 
Definition  of  a  couple  of  new  terms  pertaining  to  the  generators  are  in  order  at  this  point.  A 
generator  expression  (, generator  constant)  of  a  data  type  is  an  expression  (constant)  that 
consists  of  only  the  generators  of  the  type.  Taking  Queuejnt  with  the  specification  given  in 
Fig.  7  as  an  example;  Enqucue(NuNq,  0)  is  a  generator  constant  whereas. 
Dequeuc(Enqueuc(Nuiiq,  0))  is  not  a  generator  constant,  because  Dequeue  is  a  non -generator. 
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3.1.3.I  The  Specification  Language 

The  specification  language  we  use  is  a  restricted  version  of  an  cquational  language 
that  permits  conditionals  and  auxiliary  functions.  The  language  is  similar  to  the  ones  used  in 
several  other  works  on  data  type  specification  and  verification  such  as  [14,  18,  25J.  A 
specification  has  two  parts:  the  Operations  part  describes  the  functionality  of  every  operation 
of  the  TOI;  we  assume  that  the  Operations  part  identifies  the  basis  used  for  the  specification. 
The  Axioms  part  consists  of  a  set  of  axioms  describing  the  properties  of  the  operations.  Every 
axiom  has  the  form  of  an  equation  ej  =  e2.  where  Cj  and  e2  arc  expressions  of  the  same  type. 
The  expressions  may  involve  any  of  the  operations  of  the  TOI  and  the  defining  types.  The 
expressions  may  contain  any  of  a  finite  number  of  auxiliary  functions  which  arc  also  specified 
as  part  of  the  specification.  The  equations  may  involve  conditional  expressions  on  their  right 
hand  side,  i.e.,  c2  may  contain  the  auxiliary  function  if_lhcn_clsc  which  behaves  like  a 
conditional  expression.12  For  the  sake  of  clarity,  we  use  the  following  more  conventional 
syntax  for  an  expression  involving  ifjhcn_clse.  The  expression  ifjlicn_clsc(b.  e2|,  e22)  is 
written  as  if  b  then  e21  else  e22. 

We  differ  from  the  works  cited  above  by  assuming  that  every  axiom  in  the 
specification  satisfies  the  following  syntactic  constraints.  The  constraints  are  not  restrictive,  in 
the  sense  that  they  do  not  restrict  the  class  of  data  types  that  can  be  specified.  The  first 
constraint  enables  us  to  automatically  partition  the  axiom  set  into  two  disjoint  sets:  One  that 
contains  only  the  generator  symbols;  the  other  whose  axioms  may  involve  generators  as  well 
as  nongenerators.  The  partitioning  of  the  axiom  set  facilitates  the  synthesis  process  by 
reducing  the  inter-dependence  of  the  synthesis  of  different  operations.  The  second  constraint 
permits  the  axioms  to  be  treated  as  left  to  right  rewrite  rules  (to  be  described  later)  without 
having  to  interchange  the  two  sides  of  the  axioms. 


12.  if_then_elsc  can  be  specified  by  the  following  two  equations. 

If_then_else  :  Bool  X  T  X  T  ■>  T 
lf_thon_elsc(True,  e,.  e2)  a  e, 
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Every  axiom  c,  =  e2  of  a  specification  satisfies  the  following  conditions: 

(1)  Every  data  type  specification  explicitly  identifies  a  basis,  i.e.,  a  set  of  generators. 

(2)  The  set  of  variables  in  c2  is  a  subset  of  the  set  of  variables  in  er 

Figures  7  and  8  show  specifications  of  a  (FIFO)  queue  of  integers  (Qucuejnt)  and  a  circular 
list  of  integers  (Circ_List).  The  specifications  meet  the  constraints  specified  above. 

3. 1.3.2  Semantics  of  a  Specification 

The  specification  of  a  dat?  type  characterizes  the  observable  equivalence  relation 
that  defines  the  data  type.  The  semantics  of  a  specification  is  a  set  of  heterogeneous  algebras 
that  are  bchaviorally  equivalent  based  on  the  observable  equivalence  relation  characterized 
by  the  specification. 

To  determine  the  observable  equivalence  relation  characterized  by  a  specification, 
the  symbol  ’=’  in  the  axioms  of  the  specification  should  be  read  as  ‘observably  equivalent’. 
For  instance,  the  equation  Sizt(Enqucuc(q,  c))  =  Sizc(q)  + 1  in  the  specification  of 
Queuc_lnt  asserts  that  the  two  expressions  yield  observably  equivalent  values  for  all 
instantiations  of  the  variables  in  them.  The  observable  equivalence  relation  characterized  by 
the  specification  is  the  reflexive,  symmetric,  transitive  closure  of  =.  Every  algebra  that 
satisfies  all  the  axioms  in  the  specification  is  a  model  of  the  type  being  specified  by 
specification. 

3.2  Association  Specification 

In  addition  to  the  specifications  of  the  types  involved  in  the  synthesis,  the  synthesis 
procedure  expects  the  user  to  provide  information  about  the  representation  scheme  to  be 
used  by  the  implementation  that  is  to  be  derived.  This  section  explains  what  exactly  that 
information  is,  and  how  it  can  be  specified,  We  call  the  formal  description  of  the  information 
the  association  specification  of  an  implementation. 
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Fig.  7.  Specification  of  Queue  Jnt 

Queuejnt  is  Nullq,  Enqueue,  Front,  Dequeue,  Append,  Size 

Defining  Types 

Bool,  Int 

Operations 

Nullq  :  ->  Queuejnt 

Knqueue  :  Queue  Jnt  X  Int  ->  Queuejnt 

Front  Queuejnt  ->  Int  U  {  ERROR  } 

Dequeue  :  Queuejnt  ->  Queuejnt  U  {  FUROR  } 

Append  :  Queuejnt  X  Queuejnt  ->  Queuejnt 

Sire  :  Queuejnt  ->  Int 

Basis 

{  Nullq,  Knqueue  } 

Axioms 

(!)  Krant(Nullq)  =  FRROR 

(2)  Front(Knqueue(Nullq.  c))  s  e 

(3)  Kront(Knquetie(Knqucuc(q,  cl),  c2))  =  Front(Knqucue(q,  cl)) 

(4)  l)cqueue(Nullq)  s  FRROR 

(5)  l)equeue(Fnqueue(Nullq,  c))  =  Nullq 

(6)  l>equcue(Fnqueue(Fnqueue(q,  cl),  c2))  =  Fnqucue(Dequcue(F.nqucue(q,  cl)),  c2) 
(10)  Append(q,  Nullq)  s  q 

(I  I)  Appcnd(ql,  Fnqueue(q2,  c2))  =  Fnqucue(Appcnd(ql,  q2),  c2) 

(12)  Si*c(Nullq)  =  0 

(13)  Si/e(Fnqucue(q,  c))  =  Si?e(q)  +  1 


Fig.  8.  Specification  of  Circ .List 

CircJJst  is  Create,  Insert,  Value,  Remove,  Rotate,  Empty,  Join 

Defining  Types 
Integer,  Boolean 

Operations 
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Crcate  :->  CircJ.ist 

Insert  :  Circ_List  X  Integer  •>  Circ_Ust 

Value  :  CircJ.ist  ->  Integer  U  {  KRROR  } 

Remove  :  CircJ.ist  ->  CircJ.ist  U  {  F.RROR  } 

Rotate  :  CircJ.ist  ->CircJ.ist 

Knipty  :  CircJ.ist  ->  Boolean 

Join  :  Circjisl  X  Cirejist  ->  Circ_list 

Comment 

CircJ.ist  b  a  list  of  integers  with  a  front  end  and  a  rear  end.  Create  constructs  an  empty  list;  the  front 
and  the  rear  ends  of  an  empty  list  are  the  same.  Insert  inserts  an  element  into  a  list  at  the  rear  end. 
Value  returns  the  element  at  the  rear  end  of  a  list.  Remove  removes  the  element  at  the  rear  end  from  a 
list.  Rotate  moves  every  element  in  a  list  by  one  position  towards  the  rear  end  in  a  cyclic  fashion.  i.c., 
the  element  at  the  rear  is  moved  to  die  front.  Knipty  checks  if  a  list  is  cinpty.  Join  joins  two  lists  by 
positioning  die  first  argument  in  front  of  die  second. 

Basis 

{Create.  Insert} 

Axioms 

(1)  Valuc(Crcatc)  s  KRROR 

(2)  Yalue(lnsert(c,  i))  =  i 

(3)  Rcmovc(Crcatc)  =  F.RROR 

(4)  Removc(lnscrt(c,  i))  s  c 

(5)  Rotatc(Creatc)  =  Create 

(6)  Rotate(lnscrt(Crcatc,  i)>  =  Inscrt(Crcate,  i) 

(7)  Kotatc(luscrt(lnscrt(c,  if),  i2)))  =  Inscrt(Rotatc(lnscrt(c,  i2)),  il) 

(8)  Fanpty(Creatc)  =  true 

(9)  Kmpty(lnscrt(c,  i))  =  false 

(10)  Join(c,  Create)  =  c 

(11)  Join(c,  Inscrt(d,  i))  =  lnscrt(Join(c,  d),  I) 
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3.2.1  What  is  an  Association  Specification  ? 

An  association  specification  characterizes  two  pieces  of  information  about  a 
representation  scheme: 

(1)  The  set  of  values  of  the  representation  type  that  an  implementation  may  use  in 
representing  the  values  of  the  implemented  type.  We  call  this  set  the  representing 
domain  (*&).  %  is  characterized  by  means  of  a  predicate  on  the  representation  type 
called  the  invariant i3):  %  is  the  set  of  values  of  the  representation  type  for  which  3 
is  True. 

(2)  A  function,  called  the  abstraction  function ,  from  the  values  of  the  representation  type 

to  the  values  of  the  implemented  type.  The  function  corresponds  to  the 
representation  function  of  a  data  type  introduced  by  [21].  The  abstraction  function 
maps  a  representation  value  to  an  abstract  value  that  the  former  may  represent  in  an 
implementation.  An  abstraction  function  may  be  a  many-io-one  function.  An 
abstraction  does  not  have  to  be  defined  on  every  value  of  the  representation  type. 
However,  it  has  to  be  defined  on  every  value  in  the  representing  domain. 

The  information  characterized  by  the  association  specification  is  often  the  most 
creative  part  of  an  implementation.  The  proof  of  correctness  of  an  implementation  also,  in 
general,  needs  to  use  information  such  as  this.  If  the  invariant  part  of  an  association 
specification  is  vacuous,  then  we  assume  that  the  invariant  is  true  on  all  values  of  the 
representation  type.  In  such  a  case  the  representing  domain  includes  all  the  values  of  the 
representation  type. 

3.2.2  How  Is  It  Expressed  ? 

We  specify  3  and  JL  using  the  same  language  that  is  used  to  specify  the  data  types 
involved.  3  is  specified  as  a  set  of  equations,  like  any  other  predicate  on  the  value  set  of  the 
representation  type.  J.  is  specified  as  a  set  of  equations  relating  expressions  of  the 
representation  type  to  expressions  of  the  implemented  type.  We  require  that  Jk  be  specified 
as  a  well-defined  function  with  a  nonempty  domain. 
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Fig.  9.  Two  Association  Specifications  for  Queue  Jnt 

9(a)  Queuejnt  in  terms  o/Circ_List 

./(Create)  =  Nullq 

_4.(lnscrt(c.  i))  =  add_at_licad(U(c),  i) 

add_at_hcad(Nullq)  =  Knqucuc(Nullq,  i) 

add_at_hcad( Knqucuc(q.  i),  it)  s  Rnqucuc(add_at_hcad(q.  it),  i) 

9(b)  Qucuc_lnt  in  terms  of  Arrayjnt  X  Int  X  Int 

.4(<v,  i.  i>)  =  Nullq 

J(<Assign(v,  c.  j),  i,  j+ 1>)  s  if  i  =  j+ 1  then  Nullq 

else  Enqucue(U(<v,  i,  j>),  e) 

3(<v,  i,  i>)  =  True 

3(<Assign(v,  e,  j),  i.  j+l>)  =  ifi  =  j+1  then  True 

else  if  j  + 1  <  i  then  False 
else  3(<v,  i,  j>) 


Fig.  9  gives  a  coup le  of  example  of  an  association  specification.  9(a)  specifies  an 
implementation  of  Queuejnt  in  terms  of  Circ.List.  The  empty  queue  is  represented  by  the 
empty  list;  a  nonempty  queue  is  represented  by  a  list  whose  elements  are  identical  to  the  ones 
in  the  queue,  but  are  arranged  in  the  reverse  order.  The  motivation  for  this  representation 
scheme  is  that  reading  and  deletion  of  elements  from  a  queue  can  be  performed  efficiently. 

Consider  the  association  specification  given  in  Fig.  6.  It  specifies  a  representation 
scheme  for  implementing  Queuejnt  as  a  triple  ,  which  can  informally  be  described  as 
follows.  (Arrayjnt  is  specified  in  the  next  chapter  which  also  describes  the  association 
specification  shown  below  in  more  detail.) 


Fig.  9(b)  specifies  an  implementation  in  which  a  queue  is  implemented  as  a  triple 
Array  Jnt  X  Integer  X  Integer.  (Arrayjnt  is  specified  in  Fig.  10.)  The  representation  scheme 
can  be  informally  described  as  follows.  Nullq  can  be  represented  by  any  triple  in  which  the 
two  integer  components  are  equal.  A  nonempty  queue  can  be  represented  by  a  triple  <v,  i,  j>. 


Fig.  10.  Specification  of  Arrayjnt 

Array  Jut  is  Nullarr,  Assign,  Read,  Size,  Empty 


Defining  Types 
Integer,  Boolean 

Operations 

Nullarr  :  ->  Arrayjnt 

Assign  :  Arrayjnt  X  Integer  X  Integer  •>  Arrayjnt 

Read  :  Arrayjnt  X  Integer  •>  Integer  U  {  ERROR  } 

Size  :  Arrayjnt  ->  Integer 

Empty  :  Arrayjnt  ->  Boolean 

Comment 

Arrayjnt  is  an  array  of  integers.  Every  element  in  the  array  is  indexed  by  an  integer;  the  indices  arc 
not  necessarily  contiguous.  Nullarr  creates  an  empty  array.  Assign  assigns  a  given  value  (the  second 
argument)  to  the  element  at  a  given  index  (the  third  argument);  if  the  array  docs  not  have  an  element 
with  the  given  index,  then  the  value  is  added  to  the  array.  Read  reads  the  element  at  the  given  index. 
Empty  checks  if  an  array  is  empty. 

Basis 

{Nullarr,  Assign} 

Axioms 

(I)  Assign(Assign(v,  cl,  il),  c2,  i2)  =  if  il  =  i2  then  Assign(v,  c2,  i2) 

else  Assign(Assign(v,  c2,  i2),  el,  il) 


(2)  Rcad(Nullarr,  i)  =  ERROR 

(3)  Rcad(Assign(v,  c,  j).  i)  =  if  i  =  j  then  e 

else  Rcud(v,  i) 


(4)  Empty(Nullarr)  =  true 

(5)  Empty(Assign(v,  c,  i))  s  false 
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where  v  is  an  array  of  arbitrary  length  containing  the  elements  of  the  queue  between  the 
index  values  i  and  J-l,  in  order.  In  other  words,  i  points  to  the  front  end  of  the  queue,  and  j 
points  to  the  next  position  available  in  the  queue  for  adding  an  element 

Note  that  in  this  example,  unlike  the  last  one,  not  every  value  of  the  representation 
type  can  legally  represent  a  queue.  A  triple  <v,  i,  j>  is  a  legal  representation  value  if  only  if 
I  <  j,  and  v  is  guaranteed  to  be  defined  on  all  index  values  between  i  and  j-l.  The  invariant  J 
in  specifies  this  condition. 

The  abstraction  function  J.  is  specified  so  that  it  is  defined  on  all  values  for  which  J 
is  True.  The  specification  uses  an  auxiliary  function  Add_at_head.  Add_at_hcad  is  a  function 
on  Qucucjnt  that  adds  a  given  element  at  the  front  of  a  queue.  A  specification  of 
Add_at_hcad  is  given  as  a  part  of  the  association  specification. 

3.2.3  Further  Discussion  on  Association  Specification 

It  is  important  to  note  that  every  association  specification  need  not  have  an 
implementation  corresponding  to  iL  To  understand  this  more  clearly,  let  us  look  at  the 
relationship  between  an  association  specification  and  an  implementation  that  uses  a 
representation  scheme  consistent  with  the  one  characterized  by  the  association  specification. 

An  implementation  of  a  data  type  consists  of 

(i)  a  representation  type  being  used  as  the  representation  for  the  implementation. 

(ii)  a  program,  i.e.,  a  segment  of  code,  for  every  operation  of  the  type  in  a  language;  this 

program  is  called  the  implementation  of  the  corresponding  operation. 

Note  that  both  a  preliminary  implementation  and  a  target  implementation  (as  introduced  in 
the  previous  chapter)  of  a  data  type  are  implementations  of  the  data  type.  A  preliminary 
implementation  uses  one  language  to  express  the  program,  while  the  target  implementation 
uses  another. 

Formally,  an  implementation  of  a  data  type  can  be  considered  to  be  denoting  a 
heterogeneous  algebra,  called  an  implementation  algebra,  with 
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(i)  a  principal  domain  that  is  a  subset  of  the  value  set  of  the  representation  type, 

(ii)  a  domain  corresponding  to  every  defining  type  of  the  implemented  type  -  this 
domain  is  identical  to  the  value  set  of  the  corresponding  defining  type. 

(iii)  a  function  corresponding  to  the  implementation  of  every  operation  of  the 
implemented  type  so  that  the  function  mimics  the  behavior  of  the  implementing 
program. 

An  implementation  of  a  type  is  correct  if  there  exists  a  homomorphism,  from  the 
implementation  algebra  to  to  the  implemented  type.  The  association  specification  should  be 
such  that  there  exists  an  implementation  algebra  with  computable  functions  that  corresponds 
to  the  representation  scheme  characterized  by  the  association  specification.  More  specifically, 
the  implementation  algebra  should  satisfy  the  following  conditions: 

(i)  The  principal  domain  of  (he  algebra  is  the  representing  domain  characterized  by  the 
association  specification. 

(ii)  There  is  a  computable  function  in  the  algebra  with  the  appropriate  functionality 
corresponding  to  every  operation  of  the  implemented  type. 

(iii)  The  implemented  data  type  is  a  homomorphic  image  of  the  implementation  algebra 
with  respect  to  the  abstraction  function. 

We  do  not  intend  to  formally  characterize  the  properties  that  the  association  specification 
ought  to  satisfy  so  that  it  meets  the  above  requirement  Rather,  we  trust  the  intuition  of  the 
user,  and  assume  that  there  exists  an  implementation  that  is  consistent  with  the  association 
specification  furnished  by  him.  If  the  association  specification  provided  as  an  input  to  the 
synthesis  procedure  is  such  that  there  is  no  implementation  corresponding  to  it.  then  the 
synthesis  procedure  will,  in  general,  never  terminate.  The  synthesis  method,  however,  does 
not  produce  an  incorrect  implementation  in  such  a  case. 
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3.3  Restrict  ions  on  the  Inputs 

The  method  used  by  the  synthesis  procedure  to  derive  an  implementation  is  based 
on  treating  every  equation  in  the  specifications  as  a  rewrite  rule.  The  procedure  combines  all 
the  input  specifications,  and  treats  the  union  as  a  set  of  rewrite  rules  called  the  Initial  World. 

The  restrictions  imposed  on  the  inputs  arc  intended  to  ensure  that  Uie  Initial  World  satisfies  a 
useful  propcn>  called  th  c  principle  of  definition. 

The  first  subsection  informally  introduces  the  basic  concepts  about  rewrite  rules. 

(Sec  Appendix  I  for  formal  definitions.)  The  second  subsection  defines  principle  of 
definition,  and  develops  a  sufficient  set  of  conditions  for  principle  of  definition  (SCPD).  Ihe 
input  is  expected  to  satisfy  SCPD.  The  third  subsection  describes  how  to  prove  properties 
from  a  specification  that  satisfies  SCPD. 

3.3.1  Rewrite  Rules  and  Rewriting  Systems 

A  rewrite  rule  is  an  ordered  pair  (left,  right),  written  left  -»  right,  where  left  and 
right  are  expressions  containing  variables  so  that  the  variables  in  right  are  among  the 
variables  in  left.  A  rule  is  used  to  reduce  an  expression  by  replacing  any  subexpression  that  is 
matched  by  left  with  a  corresponding  version  of  right,  i.e..  with  the  same  substitutions  for 
variables  that  were  made  in  matching  left.  (More  precise  definitions  are  given  in  Appendix  I.) 

For  example.  consider  the  rule 

Appendfq,,  Eiwricue(qp  i2))  —  EnqueuciAppemKq,,  q?),  i2).  and  the  expression 
a  *  Dequeuef  Append^  Enqucuc(Nullq,  0)».  a  is  reducible  using  the  rule  because  it  has  a 
subexpression  a*  =»  Append(qp  Enqucue(Nullq,  0))  that  has  the  form  of  the  left  hand  side  of 
the  rule:  That  is.  AppemHq,,  Enqucuc(qp  l2»  becomes  identical  to 
Append^  Eaqucuc<Nullq,  0))  when  the  variables  in  the  former  are  substituted  according  to 
the  substitution  a  =  (q,  ~  qy  q2  Nullq,  l2  0).  The  corresponding  instance  of  the  right 
hand  side  of  the  rule  (obtained  by  substituting  the  variables  in  EnqueuctAppendfaj,  q2),  l2) 
using  the  substitution  e)  is  fl'  «  Enqucue(Appciid(qJ,  Nullq),  0). 

P  *  Dequeue(Ei»queiie(Append(qv  Nullq), 0))  is  the  expression  obtained  by  replacing  a'  by 
P  •  in  a.  Then,  we  say  that  a  reduces  to  fi.  written  a  —  p. 
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A  rewriting  system  is  a  set  of  rewrite  rules.  Let  R  be  a  rewriting  system.  An 
expression  a  is  reducible  by  R  if  it  is  reducible  by  some  rule  in  R.  If  a  is  not  reducible  by  any 
rule  in  R.  then  a  is  irreducible  by  R. 

If  a  -*  p  by  a  rule  in  R.  then  we  say  that  a  directly  reduces  to  p  using  R,  and  once 
again  write  it  as  a  -*  fl  (using  R).  Let  -**  be  the  smallest  relation  on  pairs  of  expressions 
which  is  the  reflexive,  transitive  closu.c  of  Thus,  a-**  p  if  and  only  if  there  exist 

expressions  . . .  a where  n  >  0,  such  that  a  =  a...  a.  -♦  a.kJ_ .  for  i  =  0, . . . ,  n-1  and 

o#  =  p.  We  read  a  —»*  p  as'nr  reduces  to  p. 

Suppose  a  -**  p,  and  p  is  irreducible.  Then  we  say  that  a  simplifies  to  /?;  p  is  called 
a  normal  form  of '« (in  R). 

Rewriting  systems  are  used  to  simplify  expressions  into  their  normal  forms.  Thus,  a 
useful  property  of  a  system  is  uniform  termination:  R  has  the  uniform  termination  property  if 
no  infinite  sequence  of  reductions.  -*  o,  -* ....  is  possible  in  R.  When  R  has  the  uniform 
termination  property  every  expression  is  guaranteed  to  have  a  normal  form.  Another  useful 
property  of  a  rewriting  system  is  unique  termination:  R  has  the  unique  termination  property  if 
any  two  terminating  sequences  of  reductions  starting  from  the  same  expression  have  identical 
final  expressions.  When  R  has  the  unique  termination  property  the  normal  form  (if  it  exists) 
of  every  expression  is  unique.  A  rewriting  system  that  has  both  the  uniform  termination 
property  and  the  unique  termination  property  is  said  to  be  convergent.  When  R  is  convergent 
every  expression  a  has  exactly  one  normal  form;  we  denote  the  unique  normal  form  of  a  in  a 
convergent  system  by  aL 

The  rewriting  systems  corresponding  to  our  input  specifications  are  obtained  by 
simply  replacing  the  symbol  '='  by  the  symbol  in  each  of  the  equations  in  the 
specifications.  For  example,  Ftg.  11  gives  the  rewriting  system  corresponding  to  the 
specification  of  Queuejnt  in  Fig.  7.  Henceforth,  we  treat  the  input  specifications  as  rewriting 
systems  obtained  as  explained  above.  When  we  refer  to  a  specification,  we  actually  mean  the 
rewriting  system  obtained  from  the  specification. 
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Fig.  II.  The  Queue Jnt  Rewriting  System 

(1)  Front(Nullq)  -*  KRROR 

(2)  lroii((Knquctic(Nullq,  c))  -»  c 

(.1)  Krout(Knqucuc(Knqueue(q,  el),  c2))  — *  Front(Kuqueue(q,  cl)) 

(4)  lkqueuc(Nullq)  -*  KRROR 

(5)  lkqucue<Kiiqucue(Nullq,  c))  — *  Nullq 

(6)  IkqueuctKnqiieuetKnqueuctq.  cl),  c2))  — *  Knqueue(l)tqucuc(Knqueuc(q,  cl)),  c2) 

(10)  \ppcnd(q,  Nullq)  -*  q 

(11)  \ppcnd(q I .  Kiu|ucuc(q2, c2))  -*  Knquciic(.\ppend(q1,  q2),  c2)' 

(12) Si/c(Nullq)  -♦  0 

(13)  Si/c(Knqui'Uc(q,  c))  — »  Si/e(q)  4-  1 


3.3.2  1  he  Principle  of  Definition 

The  principle  of  definition  is  a  property  of  a  specification  (or  a  group  of 
specifications).  The  property  ensures  the  consistency  of  a  specification.  The  property 
reinforces  the  two-tier  characteristic  inherent  in  our  specifications:  It  ensures  that  the 
generators  arc  specified  among  themselves,  and  the  nongenerators  are  specified  as  total 
functions  in  terms  of  the  generators.  Finally,  the  property  is  useful  in  mechanically  proving 
properties  of  data  types  from  their  specifications.  The  property  is  similar  to  a  property  with 
the  same  name  defined  in  (22).  Our  definition  is  more  general  than  the  one  in  (22]. 

Definition  The  Principle  of  Definition 

A  specification  (or  a  group  of  specifications)  S  has  the  principle  of  definition  property  if  every 
constant  t  has  exactly  one  normal  form  (in  S),  and  the  norma’  form  is  a  generator  constant  of 
the  appropriate  type. 

There  will  be  situations  in  our  development  when  it  is  necessary  to  use  a  restricted 
version  of  the  principle  of  definition.  The  notion  is  restricted  in  the  sense  that  the  principle 
of  definition  need  hold  good  only  for  a  subset  of  terms.  The  restricted  property  is  useful  in 
stating  that  every  nongenerator  defined  by  a  system  be  defined  as  a  total  function  on  a  subset 


-53- 


of  tlie  value  set  of  a  type.  We  give  a  definition  the  property  below. 

Definition  Principle  of  Definition  With  Respect  T 

Let  T  be  a  set  of  generator  constants  not  necessarily  including  all  possible  constants.  A 
system  S  satisfies  the  principle  of  definition  with  respect  to  T  if  the  following  condition  holds: 
Every  constant  of  the  form  F(g(, . . . ,  gn),  where  F  is  a  nongenerator  function  symbol  and 

g, . gn  are  generator  constants  in  T,  has  a  unique  normal  form  (in  S)  that  is  a  generator 

constant  in  T. 

The  principle  of  definition  has  two  parts  to  it:  It  requires  every  constant  to  have  a 
unique  normal  form  in  S,  and  the  normal  form  to  be  a  generator  constant.  SCPD  has  to  be 
formulated  so  as  to  ensure  the  two  parts.  The  first  part  can  be  ensured  by  requiring  S  to  be 
convergent  (i.e.,  to  satisfy  the  uniform  termination  property  and  the  unique  termination 
property).  The  second  part  is  ensured  by  requiring  S  to  be  well-spanned.  We  define  what  it 
means  for  S  to  be  well-spanned  below,  and  then  show  how  the  two  properties  ensure  the 
principle  of  definition  of  S. 

Consider  the  rewriting  system  shown  in  Fig.  11.  The  system  has  three  rules  (1,  2, 
and  3)  in  which  the  expression  on  the  left  hand  side  has  Front  as  its  outermost  symbol.  The 
set.  {Nullq,  Enqucuc(Nullq,  e).  Enqueue^ Fnqueuefq,  cl),  e2)},  of  generator  expressions  that 
appear  as  arguments  to  Front  on  the  left  hand  side  in  the  rules  spans  the  entire  set  of 
generator  constants  of  Queuejnt;  in  other  words,  every  generator  constant  of  type 
Queuejnt  is  an  instance  of  one  of  the  expressions  in  the  above  set  When  a  rewriting  system 
has  enough  rules  corresponding  to  a  nongenerator  function  f  so  that  the  set  of  generator 
expressions  appearing  as  arguments  to  f  spans  the  set  of  all  generator  constants,  we  say  that  f 
is  well-spanned  by  the  rewriting  system.  We  say  that  a  rewriting  system  is  well-spanned  if 
every  nongenerator  function  symbol  of  the  system  is  well-spanned.  We  formalize  this  notion 
below. 

In  general,  since  f  can  be  multi-ary,  the  arguments  to  f  arc  k -tuples  of  expressions  of 
appropriate  types,  where  k  is  the  arity  off.  In  the  following  formalization,  we  first  define  the 
notion  of  a  set  of  k-tuple  of  generator  expressions  being  well-spanned ,  informally,  a  set  of 
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k-tuplcs  of  generator  expressions  is  well-spanned  if  it  spans  the  set  of  all  k-tuplcs  of  generator 
constants  of  appropriate  types.  The  property  of  a  function  being  well-spanned  is  defined  in 
terms  of  the  notion  of  a  well-spanned  set  of  k-tuple  of  generator  expressions.  In  the 
following,  we  assume  that  the  k-tuplcs  are  homogeneous  with  regard  to  the  types  of  their 
components.  The  extension  to  the  heterogeneous  case  is  simple. 

Definition  A  set  A  =  {A,, . . . ,  A  }  of  k-tuples  of  generator  expressions  A(  =  <e.j, . . . ,  ejk>  is 
well-spanned  if  the  following  condition  holds:  For  every  k-tuple,  <t., . . . ,  tk>,  of  generator 
constants  there  exist  n,  1  <  n  <  p,  and  a  substitution  a,  such  that  for  every  j,  1  <  j  <  k,  we 
have  t.  =  a(e^). . 

Definition  A  nongenerator  function  f  is  well-spanned  by  a  rewriting  system  R  if  there  is  in  R  a 
set  of  rewrite  rules  whose  left  hand  sides  are  of  the  form  f(eu, . . . ,  ejk).  1  <  i  <  p,  and  the  set 
{ <e.,, . . . ,  cjk>  1 1  <  i  <  p }  is  complete. 

Definition  A  rewriting  system  R  is  well-spanned  if  every  nongenerator  function  symbol  in  R  is 
well-spanned. 

Definition  A  specification  S  satisfies  the  sufficient  condition  for  the  principle  of  definition 
(SCPD)  if  S  satisfies  the  following  conditions: 

(i)  S  is  convergent 

(ii)  S  is  well-spanned. 

Lemma  IfS  satisfies  SCPD  then  S  satisfies  the  principle  of  definition. 

Proof  Condition  (i)  guarantees  that  every  constant  has  exactly  one  normal  form.  Condition 
(ii)  implies  that  every  constant  of  the  form  l(gt, . . . ,  g^,  where  f  is  a  nongenerator  and 
g,, . . . ,  gn  are  generator  constants  is  reducible.  Since  S  satisfies  uniform  termination 
property,  this  means  that  no  constant  with  a  nongenerator  can  be  a  normal  form.  Hence  the 
normal  form  of  every  constant  is  a  generator  constant 


Q.ED 
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3.3.3  Checking  (lie  Principle  of  Definition 

The  main  reason  for  formulating  SCPD  is  so  that  we  might  he  able  to  develop 
effective  methods  of  checking  if  a  specification  satisfies  the  principle  of  definition.  This 
section  sheds  some  light  on  this  topic. 

To  check  if  a  specification  is  well-spanned,  we  have  to  check  if  the  set  of  expressions 
(or  k-tuples  of  expressions)  that  appear  as  arguments  to  each  of  the  implementing  functions  is 
complete.  Huet  in  (22]  has  demonstrated  that  it  is  possible  to  come  up  with  an  effective  set  of 
conditions  that  is  sufficient  to  check  if  a  set  of  expressions  is  complete. 

Checking  the  convergence  of  a  set  of  rules,  which  forms  the  remaining  condition  of 
SCPD.  has  been  investigated  in  (28,  22],  The  result  in  the  cited  works,  which  is  due  to  Knuth 
and  Bendix,  provides  an  algorithm  (hence  rorth  referred  to  as  the  KB-algorithm)  to  check  the 
convergence  of  a  finite  set  of  rewrite  rules  that  satisfies  the  uniform  termination  property. 
Thus,  if  we  am  independently  ensure  the  uniform  termination  property  of  a  specification, 
then  we  can  use  the  KB-algorithm  to  show  the  unique  termination  property  of  the 
specification. 

3.3.3. 1  Checking  Unique  Termination 

Let  R  be  a  finite  set  of  rewrite  rules  that  has  the  uniform  termination  property.  The 
following  theorem  is  the  basis  for  the  KB-algorithm  for  checking  the  unique  termination 
property.  The  theorem  depends  upon  the  concept  of  unification  of  expressions.  We  will  first 
define  this  concept 

Two  expressions  a  and  /?  with  disjoint  variable  sets  are  said  to  be  unifiable  if  there 
exists  a  substitution  0  such  that  9(a)  =  0(j3).^  The  most  general  unifier  of  two  unifiable 
expressions  a  and  0  is  the  unifier  0,  such  that  for  any  unifier  o  of  a  and  p  there  exists  a 
substitution  p  such  that  a  is  the  composition  of  p  and  0.  The  unification  algorithm  of 
Robinson  (44]  can  be  used  to  determine  a  most  general  unifier  of  two  given  expressions  or 


13.  The  symbol  =  stands  for  two  expressions  being  identically  equal. 


-56- 

decide  that  they  arc  not  unifiable.  In  the  discussion  to  follow  we  assume  that  the  candidates 
for  unification  have  variables  renamed  if  necessary  to  obtain  disjoint  variable  sets. 

Let  y,  -♦  5j  and  y2  -♦  $2  be  two  mles  of  R  so  that  y,  is  unifiable  with  a  nonvariable 
subexpression  of  y2.  More  precisely,  there  exists  an  occurrence  u  in  y2  such  that  a  -  y 2/u  is 
not  a  variable,  and  a  is  unifiable  with  yv  Let  0  be  the  most  general  unifier  of  a  and  yr 
Then,  we  say  that  0(y2)  is  a  superposition  of  y(  on  y2.  (If  (i  is  either  a  superposition  of  y2  on  y2 
or  a  superposition  of  y2  on  yr  then  we  say  that  /}  is  a  superposition  between  y(  and  y2.)  To 
each  superposition  there  corresponds  a  critical  pair  <ay  «,>  of  expressions  defined  as  follows, 
a,  and  a2  are  the  expressions  obtained  by  applying  to  0(y2)  the  above  two  rules,  respectively. 
More  precisely, 

«i  =  <Ky2)[«  ♦-  0(fi,)J 

«2  =  0(52) 

For  example,  consider  the  following  rules 

Append(ql,  Enqucue(q2, 12»  -»  Enqucue(Appcnd(qf ,  q2),  i2) 

Append(Appcnd(q3,  q4),  q5»  — •  Append(q3,  Append(q4,  q5» 

y,  is  unifiable  with  the  entire  expression  y2  by  the  most  general  unifier  B  =  [Append(q3,  q4) 
for  ql,  Enqueuc(q2,  i2)  for  q5J.  yielding  the  superposition  a  and  the  critical  pair  <av  o2> 
shown  below: 

a  =  Append(Appcnd(q3,  q4),  Enqueue(q2, 12)) 
a(  =  Enqucue(Append(Appcnd(q3,  q4),  q2),  12) 
a2  =  Append(q3,  Appcnd(q4,  Enqucue(q2, 12))) 

Theorem  1  The  KB-Theorem 

If  R  has  the  finite  termination  property,  then  it  has  the  unique  termination  property  if  and 
only  if  every  critical  pair  <ap  a2>  of  R  has  the  property  that  a(  and  a2  have  identical  normal 
form. 

Proof  For  a  proof  see  (28, 22]. 


If  a  finite  rewriting  system  has  nc-  superpositions,  and  therefore,  no  critical  pairs,  it  is  said  to 
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be  superposition-free.  Thus,  we  trivially  have: 

Corollary  If  a  finite  rewriting  system  has  the  uniform  termination  property,  and  is 
superposition-free,  then  it  has  the  unique  termination  property. 

For  example,  the  rewriting  system  in  Fig.  11  corresponding  to  Queue Jnt  is 
superposition-free.  In  the  next  subsection  we  show  that  it  satisfies  the  uniform  termination 
property.  So  the  rewriting  system  is  convergent 

3.3.3.2  Checking  Finite  Termination 

A  general  technique  for  checking  termination  of  a  rewriting  system  R  is  to 
demonstrate  that  it  is  possible  to  define  a  well-founded  partial  ordering  >-  on  the  set  of  all 
constants  (that  can  be  constructed  using  the  function  symbols  in  K)  so  that  tj  — ►  t2  implies 
t|  >-  tr  A  partial  ordering  is  well-founded  if  there  are  no  infinite  descending  sequences  such 
as  tj  >- t2>-...  for  any  constants.  Hence,  there  cannot  be  any  infinite  sequence  of  rewrites 
using  R  also.  Appendix  II  goes  into  this  topic  in  greater  detail.  It  describes  a  theorem  that 
provides  a  useful  guideline  to  define  a  suitable  partial  ordering  to  check  the  uniform 
termination  property  of  a  rewriting  system. 

We  assume  that  a  well-founded  partial  ordering  on  expressions  is  available  as  an 
input  to  the  synthesis  procedure.  The  ordering  >-  is  used  by  the  synthesis  procedure  not  only 
to  ensure  the  uniform  termination  property  of  inputs,  but  also  to  ensure  that  the  output 
synthesized  terminates.  The  orderings  used  in  our  examples  belong  to  a  class  of  orderings, 
called  the  lexicographic  recursive  path  ordering  (26, 10].  A  formal  definition  of  the  ordering  is 
given  in  Appendix  II. 

3.4  Proving  Properties  of  a  Data  Type 

The  properties  of  a  data  type  we  are  interested  in  are  always  expressed  as  equations 
of  the  form  e,  =  e2,  where  ej  and  e2  are  expressions,  and  s  denotes  the  observable 
equivalence  relation  (see  sec.  3.1.2).  For  instance.  the  property 

Append(Append(qr  q2),  q3)  =  Append^,,  Append(qr  q^)  asserts  that  for  every  instantiation  of 
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the  variables  by  values  the  expressions  on  the  two  sides  of  the  equation  yield  observably 
equivalent  values.  Our  objective  is  to  prove  a  property  as  a  theorem  from  a  specification  of 
the  type.  This  is  crucial  to  our  work  because  synthesis  of  implementations  involves  searching 
for  appropriate  theorems  of  the  input  specifications.  In  the  following,  we  describe  how  to 
mechanically  prove  theorems  from  a  specification  that  satisfies  the  principle  of  definition. 

Definition  A  Theorem  of  a  Specification 

Let  S  be  a  specification  (or  a  group  of  specifications).  Let  a  be  a  substitution  that  maps 
variables  to  generator  constants.  An  equation  Cj  =  e2  is  a  theorem  of  S  if  for  every  a  the 
constants  <x(c,)  and  a(e2)  have  identical  normal  forms. 

Note  that. the  above  definition  of  a  theorem  gurantecs  that  if  e2  ==  e2  is  a  theorem  of  S  thenej 
and  c2  always  yield  observably  equivalent  values.  This  is  because  the  principle  of  definition 
ensures  that  for  every  instantiation  of  the  variables  (in  c,  and  c2)  by  generator  constants  the 
two  expressions  simplify  to  the  same  generator  constant.  This  provides  a  basis  for  developing 
a  method  for  mechanically  proving  properties  of  data  types  from  specifications. 

Note  that  the  reverse  of  the  above  implication  is  not  true.  This  is  because  we 
require  that  the  input  specifications  be  only  consistent  (via  the  principle  of  definition),  but 
not  complete  [25],  A  specification  S  of  a  data  type  D  is  complete  if  every  equation  e2  =  e2 
such  that  e2  and  e2  are  observably  equivalent  for  D  is  a  theorem  of  S.  The  synthesis 
procedure  would  be  more  productive  if  the  input  specifications  are  complete.  This  is  because 
it  is  possible  to  prove  more  properties  from  a  complete  specification,  and  hence  the  synthesis 
procedure  might  be  able  to  derive  a  larger  class  of  implementations. 

There  are  several  ways  in  which  the  above  result  can  be  used  to  deduce  that  an 
equation  is  a  theorem  of  a  specification.  The  methods  differ  in  the  reasoning  or  logic  used  for 
the  deduction.  In  our  development  we  deal  with  two  kinds  of  logic:  the  equational  logic \  and 
the  inductive  logic. 

Equational  Logic 

In  the  equational  logic  e2  s  e2  is  deduced  to  be  a  theorem  of  S  by  checking  if  e2  and 
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c2  have  the  same  normal  form  in  S.  Note  that  if  =  e^i,  then  it  is  obvious  that  c,  and  e2 
have  identical  normal  forms  for  every  substitution  of  the  variables  by  generator  constants,  (el 
denotes  the  normal  form  of  c.)  An  equation  deduced  to  be  a  theorem  of  S  in  this  fashion  is 
said  to  be  a  theorem  in  the  equational  theory  of  S.  When  S  satisfies  the  principle  of 
definition  every  expression  is  guaranteed  to  have  a  unique  normal  form.  Therefore,  it  is 
possible  to  develop  a  general  procedure  to  decide  the  entire  equational  theory  of  S.  As  an 
illustration,  we  give  a  proof  of 

Appcnd(Appcn(l(q(,  q2),  Nullq)  =  Append(q(,  Appcnd(q2,  Nullq))  using  the  specification  of 
Qucuejnt  shown  in  Fig.  11. 

Kquation  to  be  proved:  AppciidfVppemKq,,  q2),  Nullq)  =  Appcnd(q,,  Appcnd(qr  Nullq)) 


Normal  fomi  oflcft  hand  side: 
Appvnd(Appcn<Kq,,  q2),  Nullq) 

Rule  (10)  | 

Append(q,,  q2) 

Inductive  ix»gic 


Normal  form  of  right  hand  side: 
Appeiid(q,,  \ppcnd(q2,  Nullq)) 

Rule(10) 

'f 

Append(q,,  q,) 


A  property  <J>  is  deduced  to  be  a  theorem  in  the  inductive  logic  by  using,  besides  the 
reduces  relation  -»*  ,  some  form  of  mathematical  induction.  A  property  that  is  deduced 
using  the  inductive  logic  is  allied  a  theorem  in  the  inductive  logic.  The  set  of  all  properties 
that  can  be  deduced  from  a  specification  using  the  inductive  logic  is  called  the  inductive 
theory  of  the  specification. 

The  induction  used  is  carried  over  the  set  of  all  generator  constants  using  one  or 
more  of  the  variables  in  <!>  as  parameters  for  the  induction.  The  induction  is  based  on  any 
well-founded  partial  ordering  on  the  set  of  generator  constants.  Suppose  G  is  the  set  of  all 
generator  constants,  and  >-  is  a  well-founded  partial  ordering  on  G.  Suppose  we  are  using 
the  variable  v  of  •Hv)  as  the  parameter  of  induction.  Then  the  induction  rule  may  be  stated  as 
follows: 


Induction  rule 
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If  for  every  t  €  G  we  can  show  that,  for  every  t'  €  G  such  that  t  x  t\  4>{v/t  ]  =>  4>[v/t],  tlien 
«t>{v)  is  theorem. 

To  apply  the  induction  rule,  we  have  to  define  a  partial  ordering  x  on  G.  Since  G 
can,  in  general,  be  infinite  the  definition  of  x  is  usually  recursive.  Tire  step  of  showing 
<l>[v/t ']  =>  <t>[v/t],  for  every  t  X  t\  is  fragmented  into  several  cases.  Each  of  these  cases  is 
established  using  the  relation  -»*  as  was  done  in  the  equational  logic.  Fig.  12  gives  an 
example  of  an  inductive  proof.  It  proves  the  property 

Appcnd( A ppcnd(q ,,  q,),  q3)  =  Appcnd(q(,  Appcnd(q2,  q3))  from  the  specification  of  Queue  Jnt 
given  in  Fig.ll.  The  proof  uses  an  ordering  generated  by  the  following  relation  on  the 
generator  expressions  of  Queue  Jnt:  Enqueuc(q,  i)x  Nullq,  and  Enqucuc(q,  i)  x  q.  The 
proof  uses  the  variable  q3  as  the  parameter  of  induction. 

It  is  not  possible  to  develop  a  general  procedure  to  decide  the  entire  inductive 


Fig.  11  Proof  by  Inductive  Logic 

Theorem  to  be  proved:  Append(Append(qr  q2),  q3)  s  Append^,  Appcnd(q2.  q3)) 
Basis:  q3  <-*  Nullq 

To  prove:  Append(Append(q(,  q1),  Nullq)  =  Appcndfq,,  Appcnd(q](  Nullq)) 

Proof  is  demonstrated  above. 


Induction:  q3  >-*  Enqucue(q,  si) 

Hypothesis:  Appcnd(Appcnd(qr  q2),  q)  -*  Appcndfq,,  Appcnd(qr  q)) 

To  prove:  Appcnd(Append(q,,  q2),  F.nqucuc(q,  i))  s  Appcndfq,,  Appcnd(q2,  Fnqueuefq,  i))) 


Normal  form  of  left  hand  side: 
AppendtAppemKq,,  q2),  Enqucuefq,  i)) 

Rulcdl)  | 

Enqucuc<  A  ppcnd(  Append(q, ,  q,),  q),  I) 


Enqucucf  Appcndfq,,  Appcnd(q2,  q)),  i) 


Normal  form  of  right  hand  side: 
Appcnd(qt,  Appcnd(q2,  Enqucuc(q,  i))) 

j  Rule(ll) 

Appcnd(q,,  EnqueuefAppendCq,,  q),  i)) 

! 

^  Rulcdl) 

EnqueuefAppcndfa,,  Appcnd(qr  q)),  I) 


theory  of  S.  This  is  because  the  inductive  hypotheses  necessary  for  the  proof  cannot  be 
generated  automatically  in  all  situations.  However,  when  S  satisfies  the  principle  of 
definition  a  significant  number  of  interesting  properties  in  the  inductive  theory  can  be  proved 
automatically.  The  automatic  method,  first  developed  by  Musser  [38,  22],  is  based  on  the 
Knuth-Bendix  algorithm  (see  sec  3.3.3.1)  for  checking  convergence  of  a  rewriting  system.  We 
use  this  method  for  synthesizing  implementations  whose  proofs  of  correctness  need 
induction.  We  will  explain  the  method  in  chapter  4  while  describing  synthesis  in  the 
inductive  theory. 
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4.  Stage  1:  The  Preliminary  Implementation 

This  chapter  discusses  the  preliminary  implementation  of  a  data  type,  and  develops 
a  method  to  derive  it  from  the  inputs  to  the  synthesis  procedure.  A  distinguishing 
characteristic  of  the  method  outlined  is  that  it  is  based  on  a  method  for  proving  the 
correctness  of  a  preliminary  implementation.  The  chapter  is  organized  into  the  following 
sections.  The  first  section  defines  precisely  what  constitutes  a  preliminary  implementation. 
The  second  section  gives  a  mathematical  formulation  of  the  problem  involved  in  the 
derivation  of  a  preliminary  implementation  for  a  data  type  from  the  given  inputs.  For 
convenience,  the  problem  is  formulated,  and  solved  here  for  a  situation  where  the 
representing  domain  is  identical  to  the  representation  value  set  In  the  next  chapter,  we 
extend  the  derivation  problem  to  the  more  general  situation  where  the  representing  domain  is 
a  subset  of  the  representation  value  set  The  last  section  describes  a  procedure  to  derive  the 
preliminary  implementation  from  the  input  specifications. 

4.1  A  Preliminary  Implementation 

A  preliminary  implementation  of  a  data  type  is  an  implementation  for  the 
implemented  type  in  a  rewrite  rule  language.  The  preliminary  implementation  uses  a 
representation  scheme  that  is  consistent  with  the  one  characterized  by  the  association 
specification  supplied  by  the  user.  It  consists  of  two  parts:  The  Representation  part,  and  the 
Definitions  part 

The  Representation  part  gives  the  representation  type  used  for  the  implementation 
of  the  implemented  type.  We  call  the  values  of  the  representation  type  the  representation 
values,  and  the  set  of  representation  values  the  representation  value  set.  Only  a  subset  of  the 
representation  value  set  need  be  used  to  represent  the  values  of  the  implemented  type.  This 
subset  is  called  the  representing  domain,  and  is  characterized  by  the  association  specification. 

The  Definitions  part  contains  definitions  for  a  set  of  new  functions  on  the 
representation  values.  We  call  the  new  functions  the  implementing  Junctions.  There  is  an 
implementing  function  corresponding  to  every  operation  of  the  implemented  type;  the 
former  implements  the  latter.  The  definition  of  an  implementing  function  that  implements 
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an  operation  is  called  the  preliminary  implementation  of  that  operation.  An  implementing 
function  is  not  necessarily  a  total  function  on  the  representation  value  set  However,  it  has  to 
be  defined  on  every  value  of  the  representing  domain.  We  use  the  following  convention 
throughout  the  development  to  help  associate  an  implementing  function  with  the  operation 
of  the  implemented  type  it  implements:  The  identifier  that  denotes  an  implementing  function 
is  the  capitalized  version  of  the  identifier  that  denotes  the  corresponding  abstract  operation. 
For  instance,  NULLQ  is  the  implementing  function  of  the  operation  Nullq. 

The  Definitions  part  consists  of  a  set  of  rewrite  rules  of  the  form  e,  -»  cr  The 
rewrite  rules  in  the  Definitions  part  defining  an  implementing  function  f  arc  the  ones  that 
have  F  as  the  outermost  symbol  on  their  left  hand  side,  e,  and  e2  are  expressions  that  may 
contain  the  implementing  functions,  the  operations  of  the  implementing  types,  and 
if_thcn_clsc  with  the  following  constraints: 

(1)  The  only  operations  of  the  representation  type  that  may  appear  in  e,  and  c2  are  the 
generators  of  the  type. 

(2)  e,  and  e2  may  not  contain  any  auxiliary  (or  helping)  functions  other  than 
ifjhcn.etse. 

There  are  two  reasons  for  constraining  the  preliminary  implementation.  Firstly,  we 
would  like  to  constrain  the  structure  of  the  preliminary  implementation  so  that  the  synthesis 
procedure  has  to  perform  less  work  in  searching  for  the  desired  solution.  Secondly,  we  want 
to  keep  the  language  as  simple  as  possible  so  that  the  principle  behind  the  synthesis  method  is 
brought  out  more  clearly  in  our  description. 

The  first  constraint  is  imposed  to  keep  the  preliminary'  implementation  derivation 
problem  simple.  This  constraint  permits  us  to  ignore  several  axioms  in  the  specifications  of 
the  implementing  types  during  verification  as  well  as  synthesis  of  a  preliminary 
implementation.  In  particular,  the  only  axioms  in  the  specification  of  the  representation  type 
that  we  need  to  consider  are  the  ones  that  involve  only  the  generators  of  the  type  involved  in 
the  specification.  This  is  because  only  the  generators  of  the  representation  type  may  appear 
in  the  preliminary  implementation.  To  this  extent  this  constraint  simplifies  the  synthesis 
method.  An  implementation  that  also  uses  the  rest  of  the  operations  is  derived  in  the  next 
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stage  of  the  synthesis  as  a  transformation  of  the  preliminary  implementation. 

The  second  constraint,  in  general,  restricts  the  logical  power,  i.e.,  the  ability  to 
define  any  computable  function  on  the  representation  type,  of  the  preliminary 
implementation  language  because  the  constraint  prohibits  the  use  of  any  helping  (or 
auxiliary)  functions  (except  if_thcn_clsc)  in  a  preliminary  implementation.  Our  synthesis 
method  cannot  automatically  discov  er  the  helping  functions  that  might  be  necessary  in  the 
preliminary  implementation.  We  use  two  approaches  to  get  around  this  problem;  both  the 
approaches  amount  to  relaxing  the  second  constraint.  Ibcy  arc  explained  here  briefly,  but 
arc  illustrated  more  clearly  when  we  later  consider  examples  involving  them. 

The  first  approach  consists  of  seeking  help  from  the  user.  We  require  the  user  to 
furnish  a  specification  of  the  helping  function  needed  in  die  preliminary  implementation. 
We  then  relax  the  second  constraint  to  permit  the  use  of  the  helping  function  in  the 
preliminary  implementation. 

Ihc  second  approach  consists  of  introducing  a  new  construct  into  the  preliminary 
implementation  language.  Ihe  construct,  which  is  used  primarily  in  conjunction  with  a  tuple 
type,  helps  eliminate  the  need  for  helping  functions  while  defining  several  functions  on  tuple 
types.  The  motivation  for  paying  special  attention  to  tuple  type  is  because  a  tuple  type  is  a 
commonly  used  representation  type.  The  construct  provides  a  way  of  accessing  the 
components  of  a  tuple  being  returned  by  an  expression  of  tuple  type  without  explicitly  using 
the  operations  that  select  the  components  of  a  tuple.  This  construct  may  be  used  in 
expressions  that  appear  on  the  right  hand  side  of  an  equation  of  a  preliminary 
implementation.  The  construct  is  expressed  by  means  of  an  expression  with  the  following 
syntax: 

el  where  <*,,  ....Ob  eu 

In  the  above,  v, . v#  are  variables;  eu  is  an  expression  of  n-tuple  type:  e2  is  an  expression 

that  may  contain  the  variables  The  construct  binds,  in  order.  v|( ....  v  id  the 

components  returned  by  ezr  The  scope  of  the  binding  is  limited  to  the  expression  er  For 
example,  consider  the  expression 

<Ass»giHvl,  e,  Jl),  II,  jl  + 1>  where  <vl,  II,  Jl>  b  DEQUEUED,  l,J».  Assuming 

DEQUEUE  is  a  function  from  Triple  to  Triple,  the  variables  vp  I,,  and  J,  in  the  above 
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expression  arc  bound  to  the  components  of  the  triple  returned  by  F)EQUEUE(<v,  i,  j>). 

4.2  The  Preliminary  Imleincntation  Derivation  Problem 

Our  intention  is  to  study  the  problem  of  synthesis  within  the  data  type  verification 
framework.  So  we  formulate  the  problem  of  deriving  a  preliminary  implementation  as 
roughly  the  inverse  of  the  problem  of  proving  the  correctness  of  the  preliminary 
implementation. 

First,  we  develop  the  criterion  of  correctness  of  a  preliminary  implementation. 
Then,  we  formulate  the  problem  of  verifying  if  a  preliminary  implementation  meets  the 
correctness  criterion.  Wc  define  the  derivation  problem  after  that  For  convenience,  the 
verification  problem  and  the  derivation  problem  are  formulated  here  for  a  situation  in  which 
the  representing  domain  is  identical  to  the  representation  value  set.  This  situation 
corresponds  to  the  case  where  the  abstraction  function  is  total,  and  the  invariant  part  of  the 
association  specification  is  vacuous.  We  discuss  the  derivation  problem  for  a  situation  where 
the  representing  domain  is  a  subset  of  the  representation  value  later.  It  should  be  noted  that 
the  formulation  of  the  correctness  criterion  given  below  applies  to  both  situations. 

4.2.1  The  Criterion  of  Correctness 

Informally,  for  a  preliminary  implementation  to  be  correct,  the  implementing 
functions  it  defines  should  collectively  exhibit  a  behavior  that  is  consistent  with  the 
observable  behavior  characterized  by  the  specification  of  the  implemented  type.  Also,  the 
preliminary  implementation  should  use  a  representation  scheme  that  meets  the  requirements 
of  the  association  specification  given  as  input.  Let  us  formalize  this  intuitive  notion. 

The  formal  object  that  a  preliminary  implementation  is  denoting  can  be  considered 
to  be  a  heterogeneous  algebra,  called  the  implementation  algebra,  with  the  following 
components: 

(i)  A  principal  domain  that  is  a  subset  of  the  representation  value  set  The  principal 
domain  is  defined  as  the  set  of  all  values  of  the  representation  type  that  are 
"reachable"  through  the  implementing  functions  corresponding  to  the  constructors 
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of  the  implemented  type.  In  other  words,  the  principal  domain  is  the  set  of 
representation  values  generated  by  the  closure  under  functional  composition  of  the 
implementing  functions  corresponding  to  the  constructors  of  the  implemented  type. 

(ii)  A  domain  corresponding  to  every  defining  type  of  the  implemented  type.  We 
assume  that  this  domain  is  identical  to  the  value  set  of  the  corresponding  defining 
type. 

(iii)  a  function  corresponding  to  every  implementing  function  defined  by  the  preliminary 
implementation. 

A  preliminary  implementation  is  correct  if  the  implementation  algebra  it  denotes  is 
a  model  of  the  implemented  data  type  in  a  manner  constrained  by  the  association 
specification.  This  means  that  there  exists  a  homomorphism  from  the  implementation 
algebra  to  the  the  implemented  type  that  behaves  as  an  identity  function  on  the  values  of  the 
defining  types,  and  exactly  like  the  abstraction  function  characterized  by  the  association 
specification  on  the  values  of  the  representation  type. 

Let  '3b  denote  the  representing  domain,  and  J.  denote  the  abstraction  function 
specified  by  the  association  specification.  Let  DO  be  a  function  defined  as  below. 

D:  Implemented  Type,  3b:  Representing  Domain,  Dj . D#:The  defining  types  of  D 

30: 3b  U  D,  U . . .  U  D  ->  DUD.U...UD 
JL:  3b  ->  D 

D0(r)  =  -4.(r)  ifr€3b 

r  otherwise 

A  preliminary  implementation  of  a  data  type  is  correct  with  respect  to  the  association 
specification  J. ,  if  the  following  two  conditions  hold. 

(1)  Totality  Property.  Every  implementing  function  is  total  over  ft. 

(2)  Homomorphism  Property.  The  operation  f  of  the  implemented  type  and  the 
implementing  function  F  are  related  by  the  property: 
(V  r  €  ft){K(F(..„  r ,...))  =  DG(r)  ,.„)] 
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The  correctness  criterion  formulated  above  is  different  from  the  formulation  found 
in  the  literature  on  data  type  verification  [25, 14, 18]  which  is  not  formulated  with  respect  to  a 
given  homomorphism  DO.  According  to  the  conventional  formulation  a  preliminary 
implementation  is  correct  if  there  exists  a  function  from  the  representation  value  set  to  the 
value  set  of  the  implemented  type  so  that:  For  all  r  €  the  principal  domain, 

D6(F(...,  r  ,...))  =  f( _ _  DG(r) Thus,  according  to  this  criterion  the  implementing  functions 

are  not  required  to  be  total  with  respect  to  “A.  Note  that  the  principal  domain  can  be  a  subset 
of  cJt>.  What  distinguishes  our  formulation  is  the  requirement  that  F  be  total  over  *3t>,  and  also 
satisfy  the  homomorphism  property  over  9>. 

Our  formulation  is  more  useful  in  the  context  of  synthesis.  It  enables  us  to 
determine  a  principal  domain  of  the  implementation  algebra  (which,  in  turn,  determines  the 
set  of  representation  values  on  which  every  implementing  function  should  be  defined) 
directly  from  the  association  specification.  This  reduces  the  interdependence  of  the  synthesis 
of  preliminary  implementation  for  the  various  operations  of  the  type.  This  is  because  in  other 
formulations  the  principal  domain  has  to  be  determined  by  computing  the  closure  under 
composition  of  the  implementing  functions  of  the  constructors.  Thus  the  domain  of  the 
implementing  function  of  each  of  the  constructors  is.  in  general,  dependent  on  the  behavior 
of  the  implementing  function  of  every  other  constructor. 

The  totality  requirement  is  also  more  interesting  in  the  context  of  synthesis.  In  the 
synthesis  process  the  association  specification  initiates  the  derivation  of  an  implementation  by 
defining  the  representation  scheme  to  be  used.  The  association  specification  is  expected  to 
express  the  intention  of  the  user  regarding  the  representation  scheme  he  wants  the 
implementation  (to  be  derived)  to  use.  So  it  is  logical  to  assume  that  the  user  wants  the  entire 
representing  domain  characterized  by  the  association  specification  to  be  used  for  representing 
the  values  of  the  implemented  type. 
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4.2.2  The  Derivation  Problem 


The  goal  of  the  derivation  problem  is  to  derive  a  preliminary  implementation  from 
the  given  inputs  so  that  the  preliminary  implementation  meets  the  correctness  criterion.  The 
inputs  consist  of  the  specification  of  the  implemented  type,  the  specification  of  the 
implementing  types,  and  the  homomorphism  specification.  The  homomorphism  specification 
is  a  specification  of  the  homomorphism  3G  that  the  preliminary  implementation  ought  to 
obey.  This  specification  is  easily  derived  from  the  specification  of  the  abstraction  function  J. 
(given  as  a  part  of  the  association  specification).  The  Homomorphism  Specification  contains 
two  kinds  of  rewrite  rules  obtained  as  described  below.  The  first  set  of  rules  specifies  that  3G 
behaves  exactly  like  the  abstraction  function  on  the  representation  values.  The  second  set  of 
rules  specifics  that  DG  behaves  as  an  identity  function  on  the  values  of  all  the  ancillary  types. 
More  precisely, 

(1)  if  a(ej)  =  e2  belongs  to  the  abstraction  function  specification 
then  DG(e()  ==  c2  belongs  to  Homomorphism  Specification 

(2)  if  a  is  a  generator  of  an  ancillary  type 

then  3G(a(Vj, . . . ,  vfl))  =  a(3G(Vj), ....  3G(vn))  belongs  to  Homomorphism  Specification 
Let  us  call  the  combination  of  all  the  input  specifications  the  Input  World  (W/).  The 
restrictions  on  the  inputs  (see  sec  2.3.1  of  the  previous  chapter)  ensure  that  the  Input  World 
satisfies  the  principle  of  definition.  The  strategy  behind  the  method  used  in  deriving  the 
preliminary  implementation  is  based  on  the  principle  of  definition  property. 

Suppose  1W  is  supplemented  with  a  set  of  rewrite  rules,  called  the  DG-rules.  that 
express  the  homomorphism  property  a  preliminary  implementation  is  expected  to  satisfy:  For 
every  pair  of  an  operation  f  of  the  implemented  type,  and  its  implementing  function  F  there 
exists  an  DG-rule  of  the  form  3G(F(vr . . . ,  v^))  -*  f(DG(Vj)w . . . ,  3€(v#)).  Let  us  call  the 
supplemented  system  the  Perturbed  World  (PW).  Let  us  suppose  that  the  addition  of  the 
DG-rules  does  not  destroy  the  uniform  termination  property  of  1W.  The  reason  we  refer  to  the 
supplemented  system  as  the  Perturbed  World  is  because  the  addition  of  the  3G-rules  destroys 
the  principle  of  definition  property.  PW  does  not  satisfy  the  principle  of  definition  because 
the  implementing  functions  that  are  newly  introduced  into  the  system  are  as  yet  undefined. 
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A  constant  involving  the  implementing  function  symbols  does  not  simplify  to  a  generator 
constant 

Recall  that  the  principle  of  definition  is  a  formal  expression  of  the  requirement  that 
every  nongenerator  function  in  a  system  be  completely  defined  as  a  total  function.  If  we  can 
generate  a  set  of  rewrite  rules  that  can  restore  the  principle  of  definition  property  of  PW,  then 
the  new  set  of  rules  can  be  considered  as  a  complete  definition  for  the  implementing 
functions.  Thus,  preliminary  implementation  derivation  is  a  problem  of  restoring  the 
principle  of  definition  of  a  system  that  violates  it 

More  precisely,  the  problem  involved  in  synthesizing  a  preliminary  implementation 
consists  of  deriving  from  the  Perturbed  World  a  set  of  rewrite  rules,  PI  (the  acronym  stands 
for  preliminary  implementation),  so  that 

(1)  PI  U  I W  satisfies  the  principle  of  definition,  as  well  as 

(2)  PI  U  PW  satisfies  the  principle  of  definition. 

In  the  following,  we  give  a  formal  proof  that  the  above  conditions  guarantee  the  correctness 
of  the  preliminary  implementation. 

The  Correctness  Theorem 

Let  PI  be  a  set  of  rewrite  rules  derived  so  that  the  above  two  conditions  hold.  Then.  PI 
satisfies  the  criterion  of  correctness  of  a  preliminary  implementation. 

Proof  The  first  condition  asserts  that  PI  U  IW  satisfies  the  principle  of  definition.  This 
implies  that  every  nongenerator  function  in  the  system,  which  includes  every  implementing 
function,  is  defined  as  a  total  function.  Hence,  PI  satisfies  the  Totality  Property. 

To  show  that  PI  satisfies  the  Homomorphism  Property,  we  have  to  show  that  every 
equation  of  the  form  D€(F(Vj„ . . . ,  vji)  =  IfKCv,),, ....  3G(vt))  is  a  theorem  of  PI  U  IW.  The 
argument  to  show  that  the  second  condition  implies  this  is  based  on  the  following  interesting 


result  about  any  system  that  satisfies  the  principle  of  definition.  The  result.14  which  is  proved 
as  Theorem  6  in  Appendix  III,  enunciates  a  sufficient  condition  for  an  equation  to  be  a 
theorem  of  a  system  diat  satisfies  the  principle  of  definition.  Suppose  S  is  a  system  that 
satisfies  the  principle  of  definition,  and  e,  =  c2  is  an  equation  so  that  ej  and  e2  have  at  least 
one  nongenerator  function  symbol  in  them.  Then,  ej  =  e2  is  a  theorem  of  S  if  S  U  {e2  -»  e2} 
satisfies  the  principle  of  definition.  The  result  is  proved  in  the  Lemma  to  follow. 

Because  of  the  second  condition  PI  U  PW  satisfies  the  principle  of  definition.  Since 
P\V  is  IW  U  36-rules,  this  implies  that  (PI  U  IW)  U  36-rules  satisfies  the  principle  of 
definition.  Now,  by  the  first  condition  PI  U  IW  satisfies  the  principle  of  definition.  By 
applying  the  above  result,  each  of  the  36-rules  (when  treated  as  equations)  is  a  theorem  of 
PI  U  IW.  Note  that  the  result  can  be  applied  because  the  36-rules  have  nongenerator 
function  symbols  in  them. 

Q.E.D. 

4.3  Derivation  of  a  Preliminary  Implementation 

In  the  previous  section  the  problem  of  deriving  a  preliminary  implementation  was 
formulated  as  deriving  a  set  of  rewrite  rules,  PI,  so  as  to  restore  the  principle  of  definition 
property  to  the  Perturbed  World  PW.  This  section  develops  a  procedure  to  derive  a 
preliminary  implementation.  The  procedure  makes  two  assumptions  about  its  input:  (l)The 
initial  World  (IW)  satisfies  SCPD,  a  sufficient  condition  for  the  principle  of  definition,  and 
(2)  a  termination  ordering  >-  on  expressions  is  available  to  the  procedure  to  ensure  the 
uniform  termination  property  of  rewriting  systems. 

The  obvious  strategy  for  the  procedure  is  to  derive  the  rules  of  the  preliminary 
implementation  so  that  PI  U  IW  and  PI  U  PW  satisfy  SCPD.  But  this  limits  the  class  of 

14.  (22,  38]  contain  results  similar  to  the  one  proved  in  this  lemma.  The  result  here  is  different 
because  we  have  a  different  set  of  assumptions.  The  principle  of  definition  property  used  in  (22]  is 
more  constrained  than  the  one  we  have.  The  result  in  [38]  assumes  that  S  satisfies  a  completeness 
property  called  fully  specifiedness  which  is  not  assumed  here.  This  is  the  reason  for  the  requirement 
in  the  lemma  that  et  and  e2  should  have  at  least  one  nongencrator  function  symbol  in  it. 
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implemcntations  that  can  be  derived  by  the  procedure.  So,  we  develop  another  set  of 
conditions,  called  the  synthesis  conditions,  that  is  weaker  than  SCPD.  PI  is  generated  so  that 
it  satisfies  die  synthesis  conditions.  It  can  be  shown  that  when  PI  satisfies  the  synthesis 
conditions,  PI  U  IW  and  PI  U  PW  satisfy  the  principle  of  definition.  We  first  formulate  the 
synthesis  conditions,  and  then  develop  a  procedure  to  derive  a  set  of  rules  that  satisfies  the 
synthesis  conditions. 

4.3.1  The  Synthesis  Conditions 

The  synthesis  conditions  for  a  set  of  rewrite  rules  PI  are  the  following: 

(1)  Totality  Condition: 

(a)  PI  is  well-spanned  (for  every  implementing  function)  with  every  rule  in  it 
being  of  the  form  F(g,, . . . ,  gn)  -*  t,15  where  F  is  an  implementing 
function  symbol,  and  g,, . . . ,  gn  are  generator  expressions. 

(b)  PI  satisfies  the  uniform  termination  property. 

(2)  Uniqueness  Condition:  PI  has  the  unique  termination  property. 

(3)  Homomorphism  Condition:  For  every  rule  F(gr . . . ,  gB)  -» t  in  PI, 

3G(F(g,, . . . ,  gn))  =  3G(t)  is  a  theorem  of  PW. 

The  following  Synthesis  Theorem  shows  that  when  PI  satisfies  the  synthesis  conditions, 
PI  U 1W  and  PI  U  PW  satisfy  the  principle  of  definition,  and  hence,  by  the  Correctness 
Theorem,  PI  is  correct  An  informal  motivation  for  the  conditions  can  be  given  as  follows. 
The  Totality  Condition  ensures  that  every  implementing  function  is  defined  on  all  the  values 
of  the  representation  type,  and  it  terminates  on  each  of  them.  The  Uniqueness  Condition 
ensures  that  every  implementing  function  is  well-defined,  in  the  sense  that  it  yields  a  unique 
value  for  every  argument  value.  The  Homomorphism  Condition  ensures  that  the  preliminary 


IS.  Note  that  tlic  syntactic  constraint  on  a  preliminary  implementation  requires  that  t  may  contain 
neither  the  function  symbol  36,  nor  any  of  the  operations  of  the  implemented  type. 
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implcmentation  satisfies  the  Homomorphism  Property. 

The  Synthesis  Theorem 

If  PI  satisfies  the  synthesis  conditions,  then  PI  U IW  and  PI  U  PW  satisfy  the  principle  of 
definition,  and  hence  PI  is  a  correct  preliminary  implementation. 

Proof  It  is  easy  to  see  that  PI  U  IW  satisfies  the  principle  of  definition  because  the  Totality 
Condition  and  the  Uniqueness  Condition  imply  dial  preliminary  implementation  satisfies 
SCPD,  and  IW  satisfies  SCPD  by  our  assumption  about  the  inputs. 

Let  NW  denote  PI  U  PW,  for  convenience.  We  apply  Theorem  8  (Appendix  III)  to 
show  that  1NW  satisfies  the  principle  of  definition.  According  to  that  theorem,  a  rewriting 
system  S  satisfies  die  principle  of  definition  if 

(a)  S  is  well-spanned, 

(b)  S  has  the  uniform  termination  property 

(c)  Every  critical  pair  <«r  <*2>  of  S  is  such  that  a2  s  a2  is  a  theorem  of  S. 

We  show  that  NW  satisfies  all  three  premises  of  the  above  theorem.  NW  is  well-spanned. 
This  is  because  IW  is  well-spanned  by  our  assumption,  and  PI  is  well-spanned  by  Totality 
Condition  (a).  The  only  nongenerator  function  symbols  of  NW  are  the  ones  in  IW  and  PI. 
By  Totality  Condition  (b)  PI  has  the  uniform  termination  property,  so  NW  has  the  uniform 
termination  property  also.  The  following  lemma  shows  that  NW  satisfies  premise  (c). 

Q.ED. 


Lemma  Every  critical  pair  <eJt  e2>  of  NW  is  such  that  e,  =  e2  is  a  theorem  of  NW. 

Proof  Note  that  PW  is  convergent.  This  is  because  IW  is  convergent  by  assumption,  and  the 
UG-rules  added  to  IW  do  not  give  rise  to  any  new  critical  pairs. 

NW  is  constructed  from  PW  by  adding  PI  to  the  former.  Therefore,  any  new 
critical  pairs  of  NW  would  be  generated  as  a  result  of  a  superposition  of  the  rules  of  PI  on  the 
rules  of  NW.  Because  of  Totality  Condition  (a)  on  the  form  of  the  rules  in  PI  the  only  rules 
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on  which  the  rules  of  PI  can  have  a  superposition  are  the  following: 

(I)  The  rules  of  PI  themselves,  or 

(II)  the  rules  of  the  implementing  types, 

(III)  the  DG-rulcs. 

Every  critical  pair  <e,,e2>  determined  by  a  superposition  on  the  rules  in 
category  (1),  and  (II)  is  such  that  eji  is  identical  to  e2l.  This  is  because,  by  the  Uniqueness 
Condition,  PI  satisfies  the  unique  termination  property.  Hence,  e,  =  e2  is  a  theorem  of  NW. 

Every  critical  pair  determined  by  a  superposition  of  the  rules  in  category  (III)  is  of 
the  form  <7G(F(gJ, . . . ,  gn)),  7G(t)>,  where  F(gj, . .  • ,  gI|)  -+ 1  is  a  rule  in  PI.  By  the 
Homomorphism  Condition,  3G(F(gj, . . . ,  gn))  =  3G(t)  is  a  theorem  of  P\V,  and  hence  a 
theorem  of  NW. 

Q.ED. 


4.3.2  Derivation  of  the  Rules  of  PI 

The  rewrite  rules  of  PI  are  derived  from  the  Perturbed  World  (PW).  So  the  initial 
task  of  the  derivation  procedure  is  to  construct  PW.  PW  is  a  rewriting  system  that  includes 
the  Initial  World  (I  W)  and  the  3G-rules.  1W  is  constructed  by  combining  the  specification  of 
the  implemented  type,  the  specifications  of  the  implementing  types,  and  the  Homomorphism 
Specification.  Without  any  loss  of  generality,  we  assume  that  there  is  no  conflict  among  the 
names  of  the  various  function  symbols  in  the  specifications.  PW  is  formed  by  then  adding  a 
rule  of  the  form  3G(F(vr, . . . ,  vn))  -*  l(3G(v1)„ . . . ,  DG(vn))  for  every  implementing  function  F 
to  be  defined.  We  assume  that  the  termination  ordering  >-  being  used  by  the  synthesis 
procedure  is  such  that  3G(F(vr, IWVj),, . . . , 36(vB)),  for  every  implementing 
function.  This  ensures  that  PW  retains  the  uniform  termination  property  as  desired  by  the 
derivation  problem.  Note  that  this  is  not  a  restriction  because  the  implementing  function 
symbols  (in  the  3G- rules)  are  fresh  symbols  being  introduced  into  IW.  Hence,  an  appropriate 
ordering  can  always  be  found. 

Although  PW  is  defined  to  include  the  specification  of  every  implementing  type 
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completely,  it  is  not  necessary  to  do  so.  Since  the  derivation  method  does  not  require  the 
specifications  to  be  complete,  one  may  include  only  parts  of  the  specifications  of  the 
implementing  types.  The  advantage  of  doing  so  is  that  the  fewer  rules  in  PW  the  more 
efficient  it  is  to  derive  the  preliminary  implementation.  However,  by  not  including  certain 
rewrite  rules  one  might  be  excluding  certain  implementations. 

Let  us  illustrate  the  construction  of  PW  on  an  example.  We  consider  the  derivation 
of  an  implementation  for  Qucuejnt  with  Circ_List  as  the  representation  type  using  the 
association  specification  given  in  Fig.  9  in  the  previous  chapter.  Fig.  13  gives  the  rules  of  PW 
for  the  example  under  consideration.  The  rules  of  the  types  Integer  and  Bool,  which  are  also 
among  the  implementing  types  are  omitted  from  the  figure  for  convenience.  The  rules  of  the 


Fig.  13.  The  Perturbed  World 

(t)  Front(Nullq)  — *  ERROR 

(2)  Front(Enqucuc(Nullq,  c))  — *  e 

(3)  Froiil(Enqucuc(F.nqucuc(q,  cl),  c2))  -*  Front(Knqucue(q,  cl)) 

(4)  Dcqucuc(NuHq)  — *  F.KKOR 

(5)  Dcqucuc(Knqiicuc(Niillq,  e))  — *  Nullq 

(6)  l)cqucuc(F.nqucuc(Knqucuc(q,  cl),  c2))  -»  Enqucuc(Dcqucuc(Enqucuc(q,  cl)),  c2) 

(10)  Appcnd(q,  Nullq)  -+  q 

(1 1)  Appcnd(ql,  Enqucuc(q2,  c2))  — *  Enqucuc(Appcnd(q1,  q2),  c2) 

(12)  Empty(Nullq)  — ♦  True 

(13)  Empty (Enqucuc(q,  c))  -*  False 

(14)  3G(Crcatc)  — »  Nullq 

(15)  3G(lnscrt(c,  i))  -»  add_at_hcad<K(c),  D€(i)) 

(16)  add_at_hcud(Nullq,  i)  — »  Enqucue(Nullq,  i) 

(17)  addjit  _hcud(Knqucuc(q,  1),  it)  -»  Enqucuc(add_at_hcad(q,  it),  1) 

(19)  3G(N(JLLQ())  -  Nullq 

(20)  W(ENQUEUE(c,  i))  -  Enqucuc(3C(c),  %(i)) 

(21)  3C(DEQUEUE(c))  -  Dcqueuc(H(c)) 

(22)  DO(APPENI)(cl,  c2))  -*  Appended),  3t(c2)) 

(23)  36(EMPTY(c))  -  Empty(K(c)) 
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rcprcscntation  type  Circ_List  are  omitted  because  they  are  not  going  to  be  used  in  the 
derivation  of  the  preliminary  implementation.  This  situation  arises  because  a  preliminary 
implementation  is  permitted  to  use  only  the  generators  of  the  representation  type.  So,  the 
only  rules  of  the  representation  type  needed  in  verification,  and  hence  also  in  the  derivation 
of  a  preliminary  implementation,  are  die  ones  that  contain  only  the  generators.  Since 
Circ_List  does  not  have  any  rules  of  this  kind.  CireJ.ist  docs  not  contribute  any  rules  to  IW. 
Rules  (1)  through  (13)  in  the  figure  are  rules  of  Qucucjnt;  rules  (14)  through  (17)  arc  the 
rules  of  Homomorphism  Specification. 

The  next  task  is  to  derive  the  rewrite  rules  of  PI  from  PW,  Strictly  speaking,  PI 
should  be  derived  so  that  all  the  three  synthesis  conditions  are  satisfied.  But,  it  is  more 
convenient  to  develop  a  procedure  that  derives  the  rewrite  rules  so  that  only  the  Totality 
Condition  and  the  Homomorphism  Condition  are  met.  The  effect  of  ignoring  the 
Uniqueness  Condition  is  not  harmful  in  the  sense  that  it  can  be  fixed  at  a  later  stage  by 
post-processing  the  preliminary  implementation.  The  Uniqueness  Condition  ensures  that 
every  implementing  function  defined  by  PI  returns  a  unique  value  on  every  representation 
value.  When  the  Uniqueness  Condition  is  not  satisfied,  an  implementing  function  F  being 
defined  by  PI  may  be  nondetcnministic:  That  is.  F  can  be  so  that  F(v)  =  vr  and  F(v)  =  vr 
but  v(  *  v2;  however,  both  the  values  v(  and  v2  will  represent  the  same  value  of  the 
implemented  type.  The  nondeterministic  behavior,  if  any,  in  the  preliminary  implementation 
will  be  eliminated  by  our  synthesis  procedure  in  the  second  stage  while  deriving  a  target 
implementation.  The  semantics  of  the  target  implementation  language  is  such  that  it  is 
impossible  to  define  nondeterministic  functions. 

The  procedure  derives  the  preliminary  implementation  for  one  operation  at  a  time 
by  deriving  a  separate  set  of  rewrite  rules  for  every  operation.  The  method  used  is  the  same 
for  every  operation.  The  procedure  first  determines  the  left  hand  sides  of  all  the  rules  of  the 
preliminary  implementation.  Then,  it  determines  a  suitable  right  hand  side  for  each  of  the 
rules  from  the  already  determined  left  hand  side. 
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4.3.2. 1  Determining  the  Left  Hand  Side 

The  Totality  Condition  is  used  to  determine  the  left  hand  side  of  the  rules.  The 
Totality  Condition  has  two  parts:  The  first  part  requires  PI  to  be  well-spanned,  and  the 
second  part  requires  PI  to  have  the  uniform  termination  property.  The  second  part  is 
ensured  while  deriving  the  right  hand  side,  which  will  be  discussed  later.  The  first  part  is 
used  here. 

The  well-spannedness  property  (described  formally  in  sec  2.3.1  of  the  previous 
chapter)  requires  the  left  hand  side  expressions  of  the  rules  defining  an  implementing 
function  F  to  satisfy  the  following  property:  The  set  of  generator  expressions  the  appear  as 
arguments  to  F  on  the  left  hand  side  should  span  the  set  of  all  generator  constants.  More 
precisely,  suppose  the  preliminary  implementation  of  F  consists  of  the  following  set  of  niles: 
(In  die  following  the  question  mark  identifiers  are  used  as  place  holders  for  expressions  to  be 
determined  later.) 


F<S.>-*n 

Then,  the  set  (g,, ...,gB)  should  be  well-spanned  (see  sec 2.3.1),  i.e.,  span  the  set  of  all 
generator  constants  of  the  appropriate  implementing  type.  For  instance,  as  a  concrete 
example,  any  pair  of  rules  that  have  the  form  given  below  constitute  a  well-spanned  set  of 
rules  for  ENQUEUE. 

ENQUEUEfCrcate,  j)  -*  ?rhs2 

ENQUEUE(Insert(c,  I),  j)  -»  7rhs3 

Note  that  the  led  hand  side  of  each  of  the  above  rules  consists  of  ENQUEUE 
applied  to  arguments  that  are  generator  expressions.  The  set  of  arguments,  i.e„  sequences  of 
generator  expressions,  to  ENQUEUE  on  the  led  hand  side  of  the  rules  is 
ArgsSet  =  {<Create,j>,<Insert(c,  I),  j>},  ArgsSet  spans  the  set  of  all  ordered  pairs  of 
gene.-ator  constants  because  every  pair  of  generator  constants  (the  first  one  of  type  CircJLtst, 
and  the  second  of  type  integer)  is  an  instance  of  one  of  the  arguments  in  ArgsSet. 

It  is  easy  to  build  a  procedure  that  automatically  generates  a  well-spanned  ArgsSet, 
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once  lhe  generators  of  the  representation  type  are  identified.  In  fact  a  slight  modification  to 
the  procedure  referred  in  sec  3.3.3  (which  checks  if  an  ArgsSct  is  complete)  can  be  used  to 
generate  a  complete  set  of  argument  expressions.  Thus,  an  appropriate  set  of  left  hand  sides 
for  the  rewrite  rules  to  be  derived  can  be  determined  automatically. 

Fig.  14  gives  a  possible  set  of  left  hand  side  expressions  for  a  preliminary 
implementation  for  the  example  under  consideration.  Note  that  the  right  hand  side  of  each 
of  the  rules  in  the  figure  is  denoted  by  a  question  mark  identifier.  So  Fig.  14  can  be 
considered  as  a  partial  preliminary  implementation  ofQueueJnt. 


4.3.2.2  Determining  the  Right  Hand  Side 

The  right  hand  side  of  each  of  the  rules  is  determined  using  the  already  determined 
left  hand  side  so  that  the  Homomorphism  Condition  and  the  second  part  of  the  Totality 
Condition  arc  met.  This  where  the  Perturbed  World  (P\V)  conics  into  the  picture. 

PW  is  used  to  derive  a  set  of  equations,  called  the  synthesis  equations ,  one  equation 
for  every  rule  in  the  preliminary  implementation.  The  right  hand  side  of  a  rule  is  determined 
from  the  right  hand  side  of  die  corresponding  synthesis  equation.  The  synthesis  equation 


corresponding  lo a rewrite  rule  F(g()  -»  Ttj  is  an  equation  of  the  form  3G(l'(g,)  =  3G(7t,)  that 
satisfies  the  following  conditions: 

(1)  3G(F(g()  =  3G(7tj)  is  a  theorem  of  PW 

(2)  3G(F(g,)  >-  3GCK,).  where  >-  is  the  termination  ordering  on  expressions. 

(3)  ?t,  contains  the  implementing  function  symbols  and  the  permitted  operations  of  the 

implementing  types. 

it  is  easy  to  sec  the  justification  for  the  above  conditions,  lhe  first  condition 
contributes  towards  ensuring  the  Homomorphism  Condition.  The  second  condition  ensures 
the  unifomi  termination  property.  The  third  condition  is  just  a  syntactic  constraint  that  any 
rule  in  a  preliminary  implementation  ought  to  satisfy.  The  next  section  describes  in  detail  a 
procedure  to  derive  the  synthesis  equations. 

4.4  Deriving  the  Synthesis  Equations 

Every  synthesis  equation  of  the  preliminary  implementation  is  derived  with  the  help 
of  two  inference  rules  called  the  synthesis  rules.  The  synthesis  rules  are  designed  for 
generating  theorems  of  PW  that  have  the  same  left  hand  sides,  but  different  right  hand  sides. 
For  deriving  a  synthesis  equation,  the  synthesis  rules  are  invoiced  repeatedly  a  finite  number 
of  times  to  generate  a  series  of  theorems  until  the  desired  equation  is  generated.  For  instance, 
the  synthesis  equation  corresponding  to  the  rule  ENQUElJE(lnserl(c,l),j)-»  7rhs2  (in  the 
partially  derived  preliminary  implementation  given  in  Fig.  14)  is  derived  by  generating  a 
series  of  theorems  that  have  t)G(E!NQlJElJE(lnsert(c,  i), ]))  as  their  left  hand  side.  The 
generation  continues  until  a  theorem  whose  right  hand  side  qualifies  the  theorem  to  be  a 
synthesis  equation  is  encountered. 

We  investigate  two  ways  in  which  the  synthesis  rules  can  be  used  for  deriving  a 
synthesis  equation.  The  first  one  derives  synthesis  equations  that  are  in  the  equational  theory 
of  PW.  The  second  one  derives  equations  that  are  in  the  inductive  theory.  The  second 
method  is  more  general  than  the  first  one.  A  system  that  implements  the  synthesis  procedure 
would,  therefore,  use  only  the  second  method.  We  discuss  them  separately  for  pedagogic 
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rcasons.  First,  we  formulate  the  synthesis  rules.  The  subsequent  subsections  describe  the  use 
of  the  synthesis  rules  in  deriving  the  synthesis  equations. 

4.4.1  The  Synthesis  Rules 

The  idea  used  for  generating  an  equation  is  to  reverse  the  method  of  demonstrating 
that  the  equation  is  a  theorem  of  PW.  The  central  notion  used  in  the  generation  is 
expansion.  Expansion  is  the  opposite  of  reduction.  It  is  the  act  of  applying  a  rewrite  rule  to 
an  expression  from  right  to  left 

4.4. 1.1  Informal  Explanation 

The  basis  for  the  synthesis  rules  is  the  result  given  in  the  KB-Thcorcm  (sec  3.3. 3.1). 
The  theorem  gives  rise  to  the  following  principle  for  generating  equations  that  are  theorems 
of  a  convergent  system.  Suppose  e(  is  an  expression  that  we  wish  to  have  as  the  left  hand  side 
of  the  equation.  Then,  an  expression  ?c2  that  may  appear  on  the  right  hand  side  of  any 
equation  that  has  e2  as  its  left  hand  side  should  be  such  that  Cjl  =  ?e2*.  One  way  of 
ensuring  that  ?e2  simplifies  to  e,i  is  to  obtain  ?e2  by  applying  to  e(i  the  rewrite  rules  of  the 
system  from  right  to  lefl  a  finite  number  of  times.  We  call  the  mechanism  of  applying  a  rule 
to  an  expression  from  right  to  left  expand. 

We  will  give  a  formal  definition  of  expand,  and  discuss  its  properties  later.  Here,  we 
will  give  an  approximate  description  of  what  expand  does  so  that  we  may  develop  a  first 
version  of  the  synthesis  rule,  and  illustrate  them  on  the  example.16  Like  reduce,  performing 
expand  consists  of  several  steps.  Suppose  we  wish  to  expand 
Add_at_hcad(Em|ueue(7G(c),  3G(j)),  DG(i))  using  the  rule 

3G(ENQlJEUE(c,  j))  Enqucue(7G(c),  3G(j)).  One  way  of  doing  this  is  to  look  for  a 
subexpression  (inside  the  expression  to  be  expanded)  that  has  the  form  of  the  right  hand  side 


16.  Wc  will  generalize  the  definition  of  expand  later.  A*  that  point  one  of  the  synthesis  nilcs  needs  to 
revised  slightly  as  well.  According  to  the  definition  given  here,  expansion  is  identical  to  Uic 
transformation  technique  folding  used  by  Darlington  |7)  for  synthesis  of  recursive  programs. 


of  the  rule.  Then  replace  the  subexpression  by  the  corresponding  instance  of  the  left  hand 
side  of  the  rule.  In  the  present  case,  the  subexpression  that  appears  as  the  first  argument  to 
A(ld_at_head  in  the  given  expression  matches  the  right  hand  side  of  the  rule  for  the  identity 
substitution.  The  result  of  expanding  the  expression  is  then 

Add_at_he«id(JG(ENQUEUE(c,  j),  DG(i)).  The  result  of  expanding  an  expression  e  in  the 
occurrence  u  by  a  rule  y  -»  S  is  denoted  by  expand  c  in  u  by  y  -*  S.  We  use  expand(c)  to 
denote  any  expression  that  is  obtained  by  expanding  e  in  some  occurrence  u  by  some  rule 
y  -*  8  in  the  rewriting  system  under  consideration. 

We  are  now  in  a  position  to  give  die  synthesis  rules.  The  first  rule  specifics  how  to 
start  the  generation  of  a  series  of  theorems;  it  generates  a  theorem  from  a  given  expression 
without  the  need  for  any  existing  theorem. 


Rule  1: 


c  is  an  expression 
e  s  el 


The  second  rule  specifies  a  way  of  generating  a  new  theorem  from  an  existing  one  using 
expand. 

Ru,e  2:  c,  s  expand(c2) 

To  familiarize  the  reader  with  the  synthesis  rules  let  us  invoice  each  of  the  synthesis  rules  to 
generate  a  couple  of  theorems  that  have  3G(ENQUEl)E<lnsert(c,  i),  j))  as  their  left  hand.  We 
use  the  rewrite  rules  of  PW  given  in  Fig.pwl  for  expansion  and  reduction.  The  normal  form 
of  DG(ENQUEUE(lnsert(c,  i),  j))  is  Enqueue(Add_atJicad(5G(c),  ’JG(i)),  DG(j)).  which  is 
obtained  by  using  the  rewrite  rule  (20)  and  then  (15)  for  simplification.  By  invoking  synthesis 
rule  (1)  with  e  =  3G(ENQUEUE(Insert(c,  1),  j)),  we  generate  the  following  theorem  of  PW: 

3G(ENQUEUE(lnsert(c,  i),  j)  =  Enqueue(Add_at_head(3G(c),  %(\)),  DG(J)) 

Let  us  now  invoke  synthesis  rule  (2)  on  the  above  equation.  Using  the  rewrite  rule  (17)  to 
expand  the  entire  expression  on  the  right  hand  side  of  the  above  theorem,  we  can  generate 
the  following  theorem  of  PW: 


3G(ENQUEtfE(lnsert(c,  i),  J)  ■  Add_at_head(3G(ENQUEUE(c,  j)),  3G(i)) 
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4.4.1.2  Formal  Definition  of  Expand 

Expansion  is  roughly  the  reverse  of  the  process  of  reduction.  The  relation  that 
characterizes  a  single  step  of  expansion  is  called  expand.  Expanding  an  expression  using  a 
rule  is  close  to  applying  the  rule  to  the  expression  from  right  to  left 

The  motivation  for  introducing  the  mechanism  of  expansion  is  to  solve  a  common 
problem  encountered  during  synthesis:  litis  is  to  find  an  expression  (a  desired  expression) 
that  simplifies  to  given  expression  (the  starting  expression).  For  instance,  in  the  derivation 
shown  earlier,  the  starting  expression  was  Enqueuc(Add_atJiead(’JG(e),  tJG(i)),  3G(j)),  and  the 
desired  expression  was  1G(Insei1(ENQUEUE(c,  j),  i)). 

The  definition  of  expand  uses  the  concept  of  unification,  and  the  most  general 
unifier  (see  Appendix  I).  Let  t  be  an  expression,  and  y  -*  5  be  a  rule.  We  assume  that  t  and 
y  have  disjoint  variable  sets.  If  there  are  common  variables  then  they  have  to  be  renamed 
suitably.  Let  u  be  an  occurrence  in  t  such  that  i/u  is  unifiable  with  fi;  let  d  be  the  most 
general  unifier.  Let  t'  be  the  expression  f[w<—  0(y)].  Then,  we  say  that  t  expands  lot  by 
y  —  8  in  u\  we  denote  this  relation  by  t  ♦—  t  ’ .  Notice  that  expanding  t  by  y  -*  8  in  u  is  not 
equivalent  to  reducing  t  by  S  -»  y  in  Expand  checks  if  t/u  is  unifiable  with  6.  whereas 
reduce  checks  if  t/u  has  the  form  of  5.  Therefore,  there  are  situations  where  an  expression  is 
expandable  by  y  -*  8,  but  not  reducible  by  6  -*y. 

The  following  question  arises  immediately:  Why  was  expand  not  defined  exactly  as 
applying  a  rule  in  the  reverse  direction  ?  The  reason  is  that  a  rule  y  -*  S  may  be  such  that 
varset(y)  D  varset(fi).  Applying  such  a  rule  from  right  to  left  will  result  in  an  expression  that 
contains  "new"  variables,  i.e.,  variables  that  did  not  exist  in  the  original  expression.  The  use 
of  such  variable  dropping  rule  during  reduction  represents  a  situation  where  the  reduction 
step  caused  a  "loss"  of  information:  A  new  variable  introduced  in  an  expansion  step  might 
have  had  in  its  place  an  arbitrary  expression  during  the  corresponding  reduction  step.  Our 
goal  is  to  reconstruct,  if  possible,  this  lost  information  at  a  later  stage  in  the  expansion  process. 
During  expansion,  therefore,  a  variable  in  an  expression  has  to  be  treated,  in  general,  as 
though  an  arbitrary  expression  might  be  in  its  place.  Using  the  predicate  unifiable  to 
determine  if  an  expression  is  expandable  enables  us  to  do  this. 
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For  instance,  consider  the  expansion  of  Appcnd(q,  Nullq)  by  the  rule 
Dequcuc(Enqucue(Nullq,  e))  -» Nullq.  The  resulting  expression  is 

Appcml(q,  Dcqueuc(Enqucue(Nullq,  c»).  The  variable  e  is  a  new  variable  introduced  because 
of  expansion.  Every  instance  of  the  latter  expression  in  which  e  is  replaced  by  any  other 
expression  reduces  to  the  former  expression.  It  might  be  possible  to  determine  the  expression 
that  has  to  take  the  place  of  e  in  future  expansion  steps. 

It  should  be  pointed  out,  however,  that  not  all  variables  in  an  expression  need  be 
given  such  a  special  treatment  during  expansion.  The  variables  that  appear  in  the  starting 
expression  must  appear  as  they  are  in  the  desired  expression  we  are  shooting  for.  Therefore, 
while  expanding  an  expression,  it  is  necessary  to  distinguish  between  the  variables  in  the 
expression  that  were  introduced  by  a  rule  (presumably  during  earlier  steps  of  expansion)  and 
the  ones  that  were  transferred  to  the  expression  from  the  starting  expression.  We  classify  the 
variables  involved  in  expansion  into  the  following  two  kinds: 

(1)  The  variables  appearing  in  the  rewrite  rules;  we  continue  to  call  these  variables. 

(2)  The  variables  appearing  in  the  expressions  on  the  left  hand  sides  of  the  rewrite  rules 
in  the  partially  generated  preliminary  implementation  (Fig.  14).  We  call  these 
variables  terminals.  Henceforth,  wc  denote  terminals  by  identifiers  that  are  in 
italics. 


The  definition  of  an  expression  remains  as  before  except  that  it  may  also  contain 
terminals  in  it.  The  definition  of  a  substitution  also  remains  as  before;  it  is  a  function  from 
variables  to  expressions.  Thus,  when  a  substitution  is  extended  to  be  applicable  on  an 
expression,  the  terminals  in  the  expression  are  not  substituted  for,  as  we  desired. 

In  the  wake  of  the  formal  definition  of  expand,  and  the  preceding  discussion  about 
the  introduction  of  variables  into  expressions  due  to  expansion,  we  should  reconsider  the 
formulation  of  the  synthesis  rules.  The  first  synthesis  rule  remains  unchanged  because  it  does 
not  use  the  relation  expand.  The  second  synthesis  rule  was  formulated  as  below: 


Rule  2: 


e,  s  expand(e;) 


1 
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This  formulation  is  not  general  enough  because  it  does  not  account  for  all  the  theorems  that 
can  be  derived  from  ej  =  c2  in  one  expansion  step.  If  cxpand(e2)  has  variables  in  it,  then 
every  instance  of  it  can  potentially  be  the  right  hand  side  of  a  theorem.  Hence,  we 
re-formulate  the  rule  as  follows: 

ej  =  e2,  a  is  a  substitution 
ej  =  a(cxpand(e2)) 

4.4.2  Derivation  in  (lie  Equational  Theory 

As  an  illustration,  let  us  derive  a  synthesis  equation  that  is  of  the  form 
3G(ENQE1 ELI E(lhsert(c,  i),  j»  =  %(?rhs3)  in  the  partial  preliminary  implementation  shown  in 
Fig.  14.  The  equation  is  derived  by  generating  a  series  of  theorems  that  have 
3G(ENQUEUE(lnsert(c,  i),j))  as  their  left  hand  side.  The  generation  is  begun  by  invoking 
synthesis  rule  (1)  on  the  left  hand  side  expression.  The  rest  of  the  theorems  in  the  series  are 
generated  by  invoking  synthesis  rule  (2)  using  the  rewrite  rules  of  I’W  for  expansion.  The 
rewrite  rules  for  expansion  arc  chosen  with  the  following  ultimate  goal:  Obtain  a  right  hand 
side  that  has  the  form  3G(?rhs3)  so  that  36(ENQUEUE(lnsert(c,  i),  j))  >-  DG(?rhs3),  and  7rhs3 
contains  only  the  permitted  operations  of  the  implementing  types.  In  the  illustration  given 
below,  the  generation  of  every  theorem  in  the  series  is  considered  as  a  step.  At  each  step,  the 
expression  expanded,  and  the  rewrite  rule  used  for  expansion  are  indicated. 

Relevant  Rewrite  Rules  of  the  Perturbed  World 

(1)  D£(F.NQUKUK(c.  j))  —  KnqueucOG(c),  K(j)) 

(2)  DG(Crcatc)  -*  Nullq 

(3)  3G(lnsert(c,  i))  — *  Add_at_hcad(DG(c),  i) 

(4)  Add_at_hcad(Nullq.  i)  — *  FnqucucfNullq,  i) 

(5)  Add_at_head(Enqucuc(q.  i),  ])  — *  Enqucuc(Add_at_hcad(q,  j),  i) 

Form  of  the  theorem  to  be  generated:  DG(F,NQUEUE(Inscrt(c,  i),  j))  s  K(?rhs3) 

Normal  form  of  DG( ENQU EU K(lnscrt(c.  i),  j)):  Knqueuc(Add_at_head(3G(c),  i),  36(j)) 

Ruler  used  for  the  normal  form:  (1),  (3) 

Step  (1)  Invoke  Synthesis  Rule  (1)  on  3G(E>'QUEUF.(lnscrt(c,  1),  j)) 

3G(ENQUFUE(Insert(c,  i),  j))  s  Enqucuc(Add_at_hcad(3G(c),  i),  X(j» 


Step  (2)  Expand  Expression:  Enqueue!  Add_at_hcnd(3G(c),  i),  !H>(j)) 

Using  Rule:  (5) 

3G(ENQUEUE(lnsert(c,  i).j))  =  Add_at_hcad(Knqucuc{3G(c),  DG(j)),  i) 

Step  (3)  Expand  Expression:  K.nqucuc(%(c),  3G(j)) 

Using  Rule:  (1) 

3G(ENQUF.UK(lnsert(c,  i),  j»  =  Add_at_head(DG(KNQUKUK(c,  j)),  i) 

Step  (4)  Expand  Expression:  Add_at_head(3G(FNQUEUE(c,  j)),  i) 

Using  Rule:  (3) 

3G(ENQUEUE(lnscrt<c,  i),  j))  =  DG(lnscrt(ENQUEUE(c.  j).  i)) 

The  theorem  generated  in  step  (4)  qualifies  to  be  a  synthesis  equation. 

Hence  the  desired  rule  of  the  preliminary  implementation  is: 

ENQUEUEflnscrt(c,  i),  j)  -  lnscrt(ENQUEUE(c. j),  i) 

4.4.3  Derivation  in  the  Inductive  Theory 
4.4.3. 1  The  General  Strategy 

The  method  used  for  deriving  a  synthesis  equation  in  the  inductive  theory  is  based 
on  the  following  property  that  every  theorem  of  PW  satisfies:  If  an  equation  is  a  theorem  of 
PW.  then  every  instance  of  it  is  in  the  equational  theory  of  PW.  An  instance  of  an  equation 
e,  s  e2  is  an  equation  obtained  by  replacing  every  variable  in  e,  and  e2  by  generator 
constants. 

We,  therefore,  take  the  following  approach.  Suppose  the  synthesis  equation  we 
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wish  to  derive  is  of  die  form  %(F(en))  =  DG(?c12).17  We  first  derive  an  instance  of  the  desired 
equation:  This  is  done  by  selecting  an  instance  of  die  left  hand  side,  say  a(3G(F(en»),  for 
some  substitution  a  of  the  terminals  in  e„  to  generator  constants.  Then,  an  instance  of  the 
equation  ct(DG(F(cu)))  =  <r(DG(c(  2))  is  derived;  the  method  of  derivation  for  the  equational 
theory  described  earlier  can  be  used  for  this  purpose.  The  instance  of  the  equation  derived 
should  be  such  that  a  generalization  of  it  DG(F(en))  =  3G(eJ2),  which  is  obtained  by  replacing 
assorted  constants  by  suitable  terminals  in  the  instance,  is  a  theorem  of  PW. 

To  check  if  the  generalization  is  a  theorem  of  PW,  we  use  an  automatic  procedure 
called  ls-an-inductivc-thcorem-of.  This  procedure  is  capable  of  deciding  a  significant  number 
of  Uicorems  in  the  inductive  dieory  of  a  system.  The  procedure  will  be  described  in  a 
subsequent  subsccdon.  Another  topic  diat  will  be  deferred  until  later  is  determining  a 
suitable  a.  Any  substitution  that  maps  all  the  terminals  in  the  left  hand  side  of  the  synthesis 
equation  to  arbitrary  generator  constants  will  serve  our  purpose.  However,  the  derivation 
would  be  more  efficient  if  we  instantiated  as  few  terminals  as  possible.  A  later  subsection  will 
discuss  a  method  of  determining  a  more  judicious  way  of  choosing  o. 

In  the  rest  of  this  subsection,  we  formalize  the  notion  of  the  generalization  of  an 
equation,  and  then  illustrate  the  general  strategy  by  deriving  a  synthesis  equation 
corresponding  to  the  rewrite  rule  APPEND(c,  Insert^/))  -»  ?rhs,  in  the  partial  preliminary 
implementation  of  APPEND  given  in  Fig.  14. 

The  Generalization  of  an  Equation 

The  generalization  of  an  equation  e,  s  c2  with  respect  to  a  substitution  o  is  the  set  of 
equations  such  that  Cj  =  e2  is  an  instance  of  using  o.  When  the  substitution  with  respect  to 
which  the  equation  is  being  generalized  is  obvious  from  the  context,  we  denote  the 
generalization  by  Gen(e,  =  e2J.  Formally,  every  equation  e{  &  ej  €  Gen[e,  =  e2]  is  such  that 
o(ej)  =  er  and  «r(ej)  =  e2.  Note  that  if  et  =  e2  has  a  finite  number  of  function  symbols 
Genfe,  =  e2]  is  always  finite.  For  instance,  suppose  ois{d>->  Create}. 


17.  Recall  that  the  left  hand  side  of  the  synthesis  equation  is  already  known. 
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Then,  Gen['JG(Appcnd(c,  Insert(Create,  i)))  =  DG({APPEND(ENQUEllE(c,  /),  Create))}® 
contains  the  following  equations: 

3G(Append(c,  lnsert(Crcatc,  i)))  =  M({ APPEN  D(ENQU  EU  E(c,  /),  Create))})) 
DG(Appcntl(c,  Insert^  I)))  s  3G(APPEND(ENQUEUE(c,  i),  d))) 

As  an  illustration  let  us  derive  an  equation  of  the  form 

3G(APPEND(c,  Insert^,/)))  =  3€(?rlis9)  which  gives  rise  to  one  of  rules  in  the  preliminary 
implementation  of  Append.  The  derivation  begins  with  the  choice  of  the  left  hand  side  of  the 
instance  of  the  equation  to  be  derived:  This  has  to  be  an  instance  of 

DG(APPEND{ct  Insert^/ ))).  Let  us  suppose  a  is  {d>->  Create}. 

Relevant  Rewrite  Rules  of  the  Perturbed  World 

(10)  Appcnd(q,  Nullq)  — *  q 
( 1 4)  DG(Creatc)  — »  Nullq 

(20)  DG(KNQUKUE(c.  i))  -  F.nqucuc(DG(c).  DG(i))}) 

(22)  DG(APPENIXc.  d))  -  Appcnd(DG(c),  3G(d» 


Form  of  the  theorem  to  be  generated:  DG(APPENl)(r.  lnscrt(Crcatc,  /»)  =  3G(?c) 
Normal  form  of  3G(APPKN IXo  lnscrt(Crcate,  /))):  Enqueuc(3G(r),  DG (i)) 

Rules  used  for  the  normal  form: 

Step  (1)  Invoke  Synthesis  Rule  (1)  on  3G(  APPEND(c,  Insert(Crcatc,  /))) 
3G(APPF.ND(r,  lnsert(Crcatc. ;)))  =  Enqueue!  DG(c),  DG(;)) 


Step  (2)  Expand  Expression:  Enqucuc(3G(c),  DG(/)) 

Using  Rule:  (10) 

3G(APPENIXf,  Inscrt(Creatc,  /)))  s  Appcnd(F.nqucuc(DG(c),  %(/)).  Nullq) 


Step  (3)  Expand  Expression:  Nullq 
Using  Rule:  (14) 

3G(APPEND(r.  Insert(Create,  /)))  s  Appcnd(Enqueue(3G(c),  3G(,)).  DG(Create)) 


Step  (4)  Expand  Expression:  Enqucue( 36(c),  36(/)) 

Using  Rule:  (20) 

SGfAPPKNOfe,  lnsert(Create,  /)))  a  Append(36(KNQUKUK(c,  /)),  36(Creatc)) 

Step  (5)  Expand  Expression:  Appcnd(3G(ENQUKUE(c,  /)),  DG(Create)) 

Using  Rule:  (22) 

D6(API»END(c.  lnscrt(Crcatc.  /)))  =  36(APPFNlHKNQUKUK(c,  i).  Create)) 

Step  (6)  Generalize  die  theorem  in  step  (5)  by  replacing  the  constant 
Create  by  die  variable  d  to  obtain  the  following  equation: 

36(APPKNl)(c,  lnsert(d,/ )))  s  36(APPKNl)(KNQUKUK(c,  /),  d)) 

Apply  Is-aiHnduclivc  theorem-ofon  the  above  equation. 

This  yields  True  confirming  lhal  the  equation  is  a  theorem. 

Hence  the  desired  mlc  (obtained  by  dropping  36  on  both  sides)  is: 

APPKNl)(c.  lnscrt(d,/  )>  —  APPEND^  NQUEUE(c,  /),  d) 

4.4.3.2  The  Predicate  ls-an-inductive-theorcm-of 

Is-an-inductive-thcorem-of  is  a  procedure  that  is  used  for  checking  if  an  equation 
ej  =  e2  is  a  theorem  of  a  convergent  rewriting  system  S.  The  procedure  is  designed  so  that  if 
it  yields  true  on  e,  =  e2.  then  e,  s  ez  is  a  theorem  of  S;  if  it  yields  false,  then  nothing  can  be 
said  about  e,  =  e2>  While  deriving  a  synthesis  equation  in  the  inductive  theory,  the 
procedure  is  used  to  check  if  a  generalization  of  an  equation  is  a  theorem  of  PW.  The 
procedure  is  described  here. 

The  procedure  is  based  on  a  method  of  using  the  KB-algorithm  (see  sec.3.3.3.1)  for 
checking  the  convergence  for  proving  inductive  properties  of  a  rewriting  system.  Suppose  S 
is  a  convergent  rewriting  system.  To  check  if  e2  =  e2  is  a  theorem  of  S,  perform  the  following 
steps: 
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(1)  Form  Sj  =  S  U  {et  -»  e2  (or  e2  -*  et)}. 

(2)  Check  if  Sj  is  convergent  The  KB-algorithni  of  checking  convergence  (which 
consists  of  checking  if  every  critical  pair  <ar  a2>  of  Sj  is  such  that  =  a2l)  is 
used  for  this. 

If  the  result  of  step  (2)  is  affirmative,  then  et  =  e2  is  a  theorem;  otherwise  nothing  can  be  said 
about  it  in  general.  Let  us  assume  that  there  exists  a  procedure,  called 
Can-bc-made-convcrgent,  th^t  implements  this  method. 

We  will  first  briefly  summarize  the  method,  and  then  describe  how 
Is-an-inductivc-thcorcm-of  is  built  on  top  of  it 

The  result  that  provides  a  basis  for  the  above  method  is  proved  in  Theorem  7  in 
Appendix  III  which  gives  a  few  useful  results  about  convergent  systems.  The  result  is  similar 
to  the  one  that  was  first  developed  by  Musscr  [38],  and  that  has  also  been  investigated  in  [22]. 
Our  result  is  different  because  the  cited  works  assume  that  S  satisfies  a  notion  of 
completeness  (similar  to  the  principle  of  definition)  besides  convergence. 

In  the  present  situation  PW,  whose  theorems  we  are  interested  in,  is  convergent  but 
docs  not  satisfy  the  principle  of  definition.  •  Because  of  this  the  above  method  is  applicable 
only  when  e2  (or  e2)  is  such  that  for  every  instantiation  of  the  variables  by  generator  constants, 
Cj  simplifies  to  a  generator  constant  The  left  hand  side  of  every  equation  we  wish  to  check  is 
of  the  form  D6(F(gj, ....  g^),  where  F  is  an  implementing  function  symbol,  and  g(, ....  g< 
are  generator  expressions.  Note  that  3t(F(g,, . . . ,  gn»  reduces  to  f(7t(gr . . . ,  gj)  by  the 
%-rule  corresponding  to  F.  The  latter  expression  satisfies  the  desired  condition  since  f  and  36 
are  well-spanned18  by  PW. 

There  are  several  situations  when  the  method  described  above  is  not  applicable  *br 
proving  an  equation  et  s  e2.  But  there  exists  another  equation  e[  b  el  such  that 


18.  Note  that  if  a  function  f  is  well-spanned  by  PW,  then  every  term  of  the  form  fftr . . . ,  tj),  where 
t|, . . . ,  ^  are  generator  terms,  can  be  simplified  to  a  generator  term  using  PW, 


f 
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(1)  ej  =  e  j  can  be  proved  using  the  above  method, 

(2)  Cj  =  e2  is  a  theorem  if  e  {  =  e  j  is  a  theorem,  and 

(3)  ej  =  c j  can  be  derived  automatically  from  ej  =  er 

In  other  words,  ej  =  ej  is  serving  as  a  lemma  for  the  theorem  e,  =  cr  The 
procedure  Is-an-inductive-theorcm-of  consists  of  transforming  e,  =  e2  to  cj  =  ej,  and  then 
applying  Can-bc-made-convergent  on  ej  =  e  j.  The  transfomiation  of  Cj  =  e2  to  cj  =  e  j  is 
performed  by  a  function  l,  called  the  lemma  deriving  function.  The  lemma  deriving  function 
used  by  Is-anjnductivc-theorcm-of  is  defined  below: 

The  Lemma  Deriving  Function  (1) 

L  is  a  function  on  expressions.  L  can  be  used  to  derive  for  a  given  equation  e2  s  e2  a  lemma 
that  the  proof  of  the  former  is  dependent  on.  The  two  sides  of  the  lemma  are  obtained  by 
applying  L  to  c(  and  ey 

L:  expression  ->  expression 

Usage:  L(a() 

Pre:  is  of  the  form  3G(<*2),  where  «2  does  not  contain  the  symbol  DG. 

Returns:  An  expression  p  that  is  obtained  by  replacing  in  o^i  every  subexpression  of 
the  form  %(d),  where  d is  any  terminal,  by  a  new  terminal  dy 


We  will  now  illustrate  the  procedure  ls*an*inductive-thcorem-of  to  check  if  the 
equation  3G(APPEND(c, Insert* d,/)))  =  3G(APPEND(ENQlJElJE(c, /), d))  is  a  theorem  of 
PW  being  used  in  our  example.  The  equation  was  obtained  in  step  (6)  while  deriving  a 
synthesis  equation  in  the  previous  section. 

Equation  to  be  checked:  3G(APPEND(c,  lnscrt(rf,i )))  s  3G(APPEND(ENQUEUE(c,  t),  df). 

Step  (1)  Derive  Lemma  by  applying  l: 

(a)  Simplify  both  sides, 

(b)  Replace  DG(c)  by  q.  K(d)  by  R,  %(i )  by  I 
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WAPPENIXc.  lnscrtW  /))) 

1 

Appcnd(’JG(c),  Add_at  _head(3G(d),  3G(/))) 


DG(A PPF.N  l)(KNQU  KU  K(c,  ;),  d)) 

\ 

Appcrid(F.nqucuc<DG(t  ).  %(/)),  %(d)) 


Lemma  to  be  checked:  Appcnd(q,  Add_at_hcad(K,  i))  =  Appcnd(Knqueue(q,  i),  R) 

Stcp(2)  Check  if  critical  pairs  arc  convergent: 

(a)  Critical  pair  determined  by  Rule  (16): 

Apptnd(q,  add_at_head(Nullq,  j» 
Appcnd(Kuqucuc(q,  j),  Nullq)  Appcnd(q.  Knqucuc(Nullq,  j» 

1  I 

Lnqucucfq,  j)  Knqueuc(q,  j) 

(b)  Critical  pair  determined  by  Rule  (17): 

Appcnd(q,  add_at_licad(Knqueue(r,.  j,),  j» 


Appcnd(q.  Fnqueue(add_at_hcad(r ,  j).  j  ))  Append(Knqueue(q.  j),  Enqueue^.,  j  » 

I  1 

Enqueue! Appcnd(F.nqucuc(q,  j),  r,),  j,)  Knqueuv( Appcnd(Knqucue(q.  j),  r,),  j,) 
4.4.33  An  Instantiation  Tor  the  Synthesis  Equation 


Here,  we  describe  a  method  of  finding  a  substitution  a  that  determines  the  left  hand 
side  of  the  instance  of  the  theorem  we  wish  to  generate.  Note  that  the  left  hand  side  of  the 
theorem  is  already  known  to  us  which  in  the  current  example  is  3G(APPEND(c,  Inserts  /))). 
a  maps  the  terminals  in  the  left  hand  side  expression  to  suitable  expressions,  a  should  be 
chosen  so  that  the  equation  ?(3G(APPEND(c,  Insert^,  /))))  s  <r(36(?e2))  is  in  the  equational 
theory  of  PW.  This  implies  that  o  should  be  such  that  o(3G(APPEND(c,Insci1(4 »))))  and 
ff(DG(?e2))  have  the  same  normal  form.  Note  that  3G(?e2)  is  unavailable  to  us  at  the  moment 
So,  a  has  to  be  determined  from  the  left  hand  side  expression  alone.  Since  the  theorem 
DG(APPEND(c,  lnsert(4 <)))  s  3G(7e2)  is  not  necessarily  in  the  equational  theory  of  PW,  an 
arbitrary  substitution  that  maps  terminals  to  generator  terms  cannot  be  used. 

The  following  fact  about  our  proof  method  (for  inductive  properties)  serves  as  the 
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basis  for  the  method  of  finding  o.  The  basis  step  of  the  inductive  proof  can  always  be  carried 
out  using  the  cquational  logic.  So,  we  choose  the  a  that  corresponds  to  a  basis  step  of  the 
proof  of  the  lemma.  The  instantiation  corresponding  to  the  basis  step  can  be  determined 
automatically  starting  from  the  left  hand  side  of  the  theorem  alone. 

Finding  such  a  a  involves  two  stages  because  the  proof  of  the  theorem,  as  you  may 
recall,  involves  two  stages:  Converting  the  theorem  to  the  lemma,  and  then  proving  the 
lemma  itself.  We  first  determine  a  substitution  w  that  corresponds  to  a  basis  step  of  the  proof 
of  the  lemma,  a  is  determined  from  u  using  the  method  used  by  the  lemma  defining 
function  L  to  convert  the  theorem  to  the  lemma.  We  describe  the  two  steps  below. 

Step  (I)  Determination  of  u 

(a)  Find  the  left  hand  side  of  the  lemma. 

This  is  obtained  by  applying  JL,  the  lemma  defining  function,  to  the  left  hand  side  of 
lltc  theorem.  For  our  example:  Left  hand  side  of  the  theorem  is 
%(APPEND(c,  Inscrtfd,  ')))  To  obtain  the  left  hand  side  of  the  lemma,  we  simplify 
the  expression,  and  replace  every  subexpression  that  has  3G  at  the  root  by  a  new 
terminal:  DG(API’F.ND(c,  Insert^  /)))  -**  AppendDG(c),  Add_at_hcadCJG(d),  %(/))). 
So  the  left  hand  side  of  the  lemma  is  Append(q,  Add_at_hcad(R,  i)). 

(b)  Find  a  basis  step  in  the  proof  of  the  lemma 

For  this,  compute  all  the  superpositions  between  the  left  hand  sides  of  the  rules  of 
PW  and  the  left  hand  side  of  the  lemma.  Simplify  the  superpositions.  A  sufficient 
condition  for  a  superposition  to  correspond  to  a  basis  step  is  that  its  normal  form  is  a 
generator  expression.  The  most  general  unifier  that  determines  such  a  superposition 
is  a  candidate  o.  The  following  table  gives  the  result  of  performing  the  above  steps 
on  the  current  example.  The  columns,  in  order,  give  the  rewrite  rule  in  PW 
responsible  for  the  superposition,  the  superposition,  and  the  normal  form  of  the 
superposition.  The  first  superposition  in  the  list  simplifies  to  a  generator  expression. 
Therefore,  u  is  the  most  general  unifier  corresponding  to  the  first  superposition, 
which  is  {R  *-*  Nullq}. 
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Rule  Superposition  ( Superposition )i 

(16)  Appendft/,  Add_atJica<l(Nullq,  ())  Enqueue (q,  <) 

(17)  Appcnd(</,  Add_at_head(  Fnqueuc(Appcnd(<7, 

K.nqucue(r,,  j,),  /))  Add_at_head(r,,  /)),  j,) 

Step  (2)  Determine  a  from  u 

u  provides  instantiations  for  the  terminals  in  the  left  hanu  side  of  the  lemma,  o  instantiates 
the  terminals  in  die  left  hand  side  of  the  theorem.  Our  objective  is  to  find  a  a  so  that  when 
the  left  hand  sides  (of  the  lemma  and  the  theorem)  are  instantiated  by  o  and  «,  respectively, 
they  simplify  to  the  same  expression. 

For  instance,  in  the  current  example,  the  left  hand  side  of  the  theorem  is 
e(  =  3G(APPENI)(c,  lnscrt(d,  /))),  whose  normal  form  is 

c,  =  Appcnd(7G(c),  Add_at_head(3G(d),  7G(/))).  The  left  hand  side  of  the  lemma  is 
e,  =  Append(q,  Add_at_hcad(R,  i)).  which  was  obtained  by  replacing  %(d)  by  r,  and  ’JG(c)  by 
q.  u  maps  r  to  Nullq,  and  leaves  the  rest  of  the  terminals  unchanged.  Therefore,  o  should 
map  d  to  an  expression  such  that  Nullq  =  %(d)  is  a  theorem  in  the  equational  theory  of  PW. 
Therefore,  the  instantiation  for  d  can  be  determined  using  the  first  two  synthesis  rules  by 
generating  a  theorem  that  has  Nullq  on  the  left  hand  side,  and  an  expression  of  the  form 
3G(?e)  on  the  right  hand  side.  The  generation  sequence  is  shown  below.  The  first  theorem  is 
obtained  by  invoking  Synthesis  Rule  (1)  for  the  expression  Nullq.  The  second  theorem  is 
obtained  by  using  Synthesis  Rule  (2);  rewrite  rule  (14)  of  PW  is  used  for  expand.  The  right 
hand  side,  3G(Create),  of  the  theorem  generated  determines  a  as  {</  •— *  Create}. 

Nullq  =  Nullq 

=  TG(Create) 

4.5  An  Abstract  Implementation  of  the  Derivation  Procedure 

Below,  we  give  an  implementation  for  a  procedure  Generate-a*rule.  The  procedure 
determines  a  suitable  right  hand  side  expression  for  a  rewrite  rule  in  a  partial  preliminary 
implementation  given  the  left  hand  side  expression.  The  procedure  also  expects  a  Perturbed 
World  and  a  termination  ordering  as  inputs.  The  procedure  is  implemented  in  a  high  level 
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algorithmic  language  whose  semantics  is  self-explanatory. 

The  implementation  assumes  that  there  exist  two  procedures 
Is-an-inductive-thcorem-of  and  A-suitablc-instantiation-for-lbs.  The  latter  finds  a  suitable 
substitution  that  determines  the  instance  of  synthesis  equation  to  be  generated. 

The  procedure  performs  essentially  the  theorem  generation  illustrated  before  in  a 
systematic  fashion.  Roughly,  it  operates  as  follows.  It  finds  the  instance  of  the  left,  hand  side 
of  the  synthesis  equation  by  applying  A-suitablc-instantiation-for-lhs  to  DG(lhs).  It  simplifies 
this  expression  to  its  normal  form.  The  normal  form  is  then  expanded  repeatedly  using 
appropriate  rewrite  rules  of  PW  until  a  suitable  right  hand  side  is  encountered. 

The  nontrivial  aspect  of  the  procedure  concerns  performing  expansion  in  an 
effective  fashion.  There  are  two  problem  areas.  Firstly,  expansion  is  not  uniformly 
terminating.  That  is,  expansion  is  a  potentially  nonterminating  activity.  The  procedure  uses 
the  termination  ordering  >  to  circumvent  this  problem.  The  right  hand  side  has  to  be  an 
expression  that  is  less  than  the  given  left  hand  side.  But,  expanding  an  expression  always 
gives  rise  to  a  bigger  expression  in  the  ordering  >-.  Thus,  the  procedure  can  be  terminated 
the  moment  we  encounter  an  expression  that  is  not  less  than  the  left  hand  side.  (Note  that  the 
>-  is  such  that  there  can  only  be  a  finite  number  of  expressions  less  than  any  given 
expression.) 

Secondly,  expansion  is  not  uniquely  terminating.  That  is,  an  expression  can  be 
expanded  in  several  different  (but  finitely  many,  because  there  are  only  finite  number  of  rules 
in  PW)  ways  using  the  rules  in  PW.  All  of  them  do  not  necessarily  lead  to  the  same  final 
expression.  Some  of  them  may  not  even  lead  to  a  suitable  right  hand  side  expression.  In  the 
examples  illustrated  earlier,  the  rules  of  PW  were  carefuity  chosen  so  that  they  resulted  in  the 
desired  right  hand  side.  A  working  implementation,  however,  is  forced  to  keep  track  of  all 
possible  expansions  since  any  one  of  them  can  result  in  the  desired  right  hand  side.  In  the 
implementation  given  below  the  variable  S  is  used  for  this  purpose. 

This  chore,  in  fact,  happens  to  be  the  main  source  of  inefficiency  in  the  synthesis 
procedure.  We  use  the  following  obvious  ways  of  getting  rid  of  unproductive  expansion 
paths.  Firstly,  type  information  is  used  to  eliminate  some  of  the  candidate  rewrite  rule;,  for 
expansion.  Secondly,  expansions  that  result  in  an  expression  that  is  not  less  than  the  left  hand 
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side  arc  not  going  to  be  fruitful.  Finally,  we  make  a  distinction  between  the  variables  that 
appear  in  the  rewrite  rules  of  PW,  and  the  ones  in  the  given  left  hand  side.  The  latter,  which 
are  terminals,  are  treated  as  constants.  This  eliminates  several  rewrite  rules  for  expansion  that 
are  candidates  otherwise. 

It  should  be  noted  that  the  procedure  given  below  is  only  a  part  of  a  complete 
implementation  of  the  synthesis  procedure.  The  other  part  is  expected  to  determine  the  left 
hand  side  of  the  rules.  We  have  assumed  that  there  exists  a  procedure  to  determine  the  left 
hand  sides.  If  the  following  procedure  docs  not  succeed  in  finding  a  suitable  right  h?nd  side 
for  a  given  left  hand  side,  then  another  set  of  left  hand  sides  have  to  be  generated,  and  the 
following  procedure  reexecuted. 


Gcncratc-a-ruic  =  proc(  PW:  Perturbed  World,  ihs:  Ffg, . gj. 

>-:  ordering)  returns  (Re  write  Rule) 

* Initialization 

a:  Substitution  *-  A-suitable-instantiation-for-Ris 
ilhs  •-  o(lhs) 

S  -  pG(ilhs)!} 

repeat 

%Tttt  if  expansion  can  be  stopped 
if  Thcre-cxbts-a-suitablc-candidate-hKS) 
then  rhs —  Fctch-a-suKablc-candidate-frtMn(S) 
rcturnflhs  -»  rhs) 
endif 

%lf  a  candidate  has  not  been  generated  yet.  expand  by  one  more  step 
SI*-* 

for  every  t  €  S  do 

SI  —  SI  U  sct-oF-ail-expansions-of  t  by  PW 
endfor 

S*-S1 

%  Drop  from  SI  unproductive  expressions 
for  every  t€S,  do 

if  —(Ills  >- 1)  then  SI  v—  SI  -  {t} 


forever 


-95- 


%Subpncedurt  description 

‘Ihcre-cxhtsnrxailaUe-caad  idatc-ia:  Mtpwt  (&  Sct|K*grcsiteaP  Mum  (H— tow) 
if  3 1  €  S  web  that 

3  Hff% . t,)  ■  3«?rto)  €  GcHilhs  ■  l|  wch  that 

( 1 )  7H»»  docs  not  contain  X  or  operations  of  the  implemented  type, 

(2)  Hi, . g,)  >■  Mk.  «nd 

())  li-i>-Mmhrtlnwwi  of1  PXVfXfHg^  X(7fto» 

(ben  RtmCInt)  chc  rcterutKake) 

end  whproc 


9tSubprocedure  description 

Kctch-a-sahaUr-c  wdidalc-froai:  tabpror  (S:  SnlCtywatop  returns  (Kt^reaba) 
if  3l  €  S  such  that 

3  XtHg, . g,)  ■  Xfhfcs)  €  Gcafilhs  ■  I)  such  dial 

(1) ?rh* docs  not  nxiuin  X  or  operations  of  (he  anptemcMcd  type. 

(2)  Kg, . gj>-  Tito,  and 

(3)  It- aa-iadarthc-ibcorearof  PWfXfKg,. . . . .  gj  m  XfTib*)) 

(bra  rctaru(t) 
cad  wlproc 


cad  Gear  rate  a  rah 


ttiahlnpaniomC^:  Expresetea  X  Rale  *>  Sajliywatol 
Usage:  waCafrf\paBitM  af  ( by  y  —  I 

Returns;  Rcturm  the  act  of  all  possible  expansions  of  a  given  term  via  a  given  rale. 


set-ofafl-txaaaskMrof.br  ftgtalai  X  Sct(Rate|*>  Set|Expreiotea| 
Usage:  set-ofalfcxpaastew  af  t  by  % 

Returns:  The  set  of  all  terms  a  such  that 

s  =  U  vct-ofaAtspaniioai  aft  by  R.  for  all  R  €  % 


expaadja.br:  fipnaba  X  Occurrence  X  Rate  ->  Kxpwiea 
Usage:  expaad  t,  in  u  by  y  -*  4 


% 
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Nr.  Vane*!,)  H  VmvKy)  *  ♦  Var  convenience 

t/y  a-mijlatir  wuk  I 

Krtyrmi  esfnad  I,  in  »  by  y  -*  i  yields  a  term  t)  such  tha*  every  Kttn  dui  reduces  (m  n  by  y  —  i) 
to  m  MHUact  of  l(  wtl  be  an  imuacc  of  ^  la  c*hcr  utndi  Ij «  die  mewl  fracnl  instance  of 
all  Hie  term  that  reduce  (m  u  by  y  —  <)  lo  an  uhuocc  of  I,  Note  due  die  result  die 
ftincum  returns  w  unique  upto  prrmuuooot  of  (he  varuMes.  this  it  because  m.  which  M 
die  mm  fractal  unifier  of  two  Km.  •  always  unique  shen  resUKtod  lo  die  vanaMet  in 
die  two  icons  l(  and  I. 

npudnsXI):  I'spmdw  X  Kspmdoa  XOrmwact  X  Hair  •>  M 

Vmpr  ^esfaodflulylaabf  y  -•  I 

Nr.  Vanedy)  O  Vanedt,)  ■  • 

KrttHix  A  piedkiMe  dial  lews  if  a  tenr  ctpaadi  lo  another  ghca  no. 

(Ij/u) »yntfiMr »tik I A  ^  •  rspnad  I,  in  ulf  y  —  I 


5.  Extending  the  Derivation  Problem 


The  denial  wo  problem  ami  ike  dentation  procedure  (toothed  in  the  tel  Chapter 
apply  10  a  wuauon  in  which  the  representing  donak  (*)  for  the  (totred  prdimtary 
mpkmciMaiioii  it  iwoinded  Thai  it.  %  mriwto  ad  (be  taluei  of  the  r.prc*cnui*on  type. 
This  section  extendi  the  problem  10  the  more  general  mutton  time  %  is  a  wheel  of  ike 
value  set  of  ike  representation  (ype. 

%  (mum  ike  m  of  values  dm  are  permuted  to  be  mod  hr  <  pitUmfoary 
wnptemcwutlon  for  RpRMttit|  ike  values  of  foe  implemented  type  k  it  dunttorticd  by 
ike  aaoMm  spcttAcaiion  supphtd  by  foe  mev  Suppaw  a  and  1  m  the  aburactioo 
function  ami  ike  toiartoM  specified  by  foe  anwctuion  fccAcaton  mpetivcly  Then  %  is 
foe  set  ofaliakiet  for  »hicb  In  tme  fht  preset  utunino  H  one  «  whkh  I  h  uwc  cm  only 
a  subnet  of  ike  representation  mine  m 

f  or  tantmcc.  consider  foe  mxlMtoi  sportffcjUo*  p*ta  O  1%  15  Tkk  cunph 
*W  be  noi  to  intun  foe  procefone  deaertbed  «  foe  chapter  h  ipodfia  an 
euphiBK tattoo  of  Quern.  It  tnterim  of  Amty.lt  X  leeeprt  X  Imp  Ike  abtoecdou 
fonenon  A  at  be  described  tfonmWj  m  fodtm  halt  can  be  represented  by  tty  triple  t 
which  both  foe  tmrprr  competent  are  epd  A  nonempty  poem  cm  be  itprwwnd  by  e 
triple  <».  k  P*  l§  an  arm  of  arbitrary  totgfo  containing  foe  dement  of  foe  ptewe.  t  order, 
between  d*  totes  «alM»  I  and  H  htofoer  wonk.lpottitodteftot  endofdte  geeue.end 
|  point  to  the  neat  awthbe  pcMJon  in  »  tor  addfog  a  new  dement  Mo  foe  Qwnte  Ike 
tovarit  I  it  tnw  on  ad  tnptes  stch  dan  I  ^  |  and  die  army  k  pantwd  h>  he  defined  on  di 


rip  II  Qwnjdkl— dTfob 

4<«.U»eM| 

AK*eiPt'.tm»»iell«|fiiwlkd| 

d»tnpemUt<«Apkd 

JH*.  i  Of  t  Tme 

«KAMgM.e.iAj+l>)«»l«J+t*mTme 

dsetl  £  j+l  to*  JK*Af>) 


MenahM  between  I  wd^ 


S.I  ClmdriUaiiN  of  (hr  (ViMw 

Tfcf  emeftoa  of  to wow  (owed  in  *e  prevnn  dupm  «  Sot  44.1)  that  mm 
«cd  10  dwactcfuc  Ac  proMf  «ofltf  H  fptabk  »  On  current  tOnurtan  ■  wdk.  For 
rnnoMKt. ««  trpeai  the  amnom  Mor  A  pwHwwufy  mpkmcnuaum  of  «  4ott  tux  k 
comet  *0  «f«t  to  «  mtxtmum  ^tollauai  (Uui  dkmattut*  m  atumcden  Mm 
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cquutium,  one  hat  to  use  rewrite  rules  describing  this  contest  besides  the  rewrite  rules  in  PW. 
Second!).  ?|  has  to  be  determined  to  that  J(h)  9  True  is  a  theorem.  For  this,  it  is  necessary 
lo  use  the  rewrite  rules  in  the  specification  of ).  These  additional  rewrite  rules,  which 
describe  information  pertaining  10  the  invariant,  are  maintained  as  a  separate  entity  called  the 
fmpemmy  Workt  (TWX  We  will  dtccuts  mure  about  TW  •  its  composition,  and  its 
wmnmtXM  later  It  it  sufficient  10  say  the  following  at  this  point:  TW  consists  of  rules  that 

specif)  t.  and  rules  that  auert  that  g, . g^  satisfy  the  invariant  The  rules  in  TW  are  used 

for  ctpuMim  m  well  as  to  emu  re  that  H  satisfies  I. 

It  should  be  noted  that  part  of  the  Temporary  World  used  in  the  derivation  of  a 
prvHmwury  mtphcmrnurion  could  he  different  fur  different  rules  in  the  preliminary 
wnpfcrudMatftMi  this  *  because  the  argument  espremom  appearing  on  the  Icfl  hand  side 
<«r  •* -V  are  imulb  different  for  different  nilcv  Consequently,  the  part  of  TW  that 
chungr*  bu»  a>  hr  iKMnxkd  afresh  at  the  beginning  of  the  derivation  of  every  rule.  (The 
temporary  U<  1  mar  of  a  part  at  It  to  what  prompted  us  10  name  TW  a  Temporary  World.) 

SJH  t  Mmpfar  llmirallew 

In  the  fottuN mg.  «r  slum  the  derisatlun  of  a  synthesis  equation  corresponding  to 
the  ir»«h  rule  INQt  TtM<  *,*./>.  r|  —  trtej  m  the  parual  preliminary  implementation 
shows  m  Hg  P.  The  dtvtoarion  prorates  m  illustration  of  how  the  generation  of  theorems 
to  mfW«  weed  hit  1  dn  •wmiet  for  the  Ant  time  performing  expansion  uring  rewrite 
ruin  that  harm  <n*d*«aw*l  rtpmwm  in  them. 

The  ft  wed  for  We  dnsvariun  to  shown  below.  For  ewe  of  reference,  also  given 
befow  m  rw»rs  oenprd  hum  PW  (Fig  16)  that  are  relevant  in  the  present  derivation. 
he*»  nmNrtd  (t)  od ( MB  in  TW  are  the  specification  of  J  The  rule  numbered  (II)  smelts 
thes  die  argument  <*.  i/>  to  FM)UtLt  settofles  J  The  fourth  rule  Is  a  property  of  the 
Wrartum;  Any  triple  <*.«./>  dmnudsfics  I  to  sndi  than  £/  This  can  be  proved  as  a  theorem 
hem  the  upevdkafton  of  f  We  wg|  see  how  tfeto  to  obtained  in  a  subsequent  section  where  we 
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(1)  X(<v,  i,  £>)  — »  Nullq 

(2) 3M<.\sutn(v,c,j),  i,j+l>)-»ifi  =  j+1  then  Nullq 

else  F.nqueue<3G(<v,  i,  j>),  DG(c)) 

0)  3MF.NQUF.llF(x,  c))  — ♦  Knqucuc(3G(x),  3G(e)) 

M)  W.Um.ebu^ False,  vl,  v2)  — * »2 
0)  H_lbe«_ebc(  I  rue,  *1,  v2)  — ♦  vl 

0)  3Mif_thea_cMh.  vl,  v2))  -»  if_thcn_t!lsc<b.  %(vl),  3€(v2)) 

|7)  x  ■  y  + 1  — *  »ot(x  ^  y) 

OliMtCrrat)-*  False 

I  ke  Temporary  World 
(•>*<».  U»- True 

(It)  RCAMigntt.c.  j),  i,  j  + 1>)  — ♦  i  <  j  + 1  A  [i  =i+l  V  J(<v,i,j>)l 

(I l)K<v. «./»- True 
—  True 


Shown  below  is  a  generation  of  a  series  of  theorems  by  invoking  the  synthesis  rules 
Mixing  the  rewrite  rules  shown  above  for  expansion.  The  generation  results  in  the  derivation 
c4  a  synthesis  equation  of  the  form  we  desire.  The  first  theorem  in  the  series  is  obtained  by 
invoking  Synthesis  Rulc(l)  for  the  expression  D6(ENQL)EUE(<v,  i,j>,  e))\  the  normal  form 
of  this  expression  is  Eiiqucue<3G<<v,  i,p),  %(e)).  The  rest  of  the  theorems  in  the  series  are 
oktaincri  invoking  Synthesis  Rule  (2)  using  different  rules  in  PW  and  TW  for  expansion. 

An  explanation  about  our  choice  of  the  rewrite  rules  for  expansion  in  the  following 
derivation  is  in  order.  Recall  that  the  ultimate  objective  of  expansion  is  to  drive  the  symbol 
%  in  the  right  hand  side  of  the  equation  in  Step  (1)  to  the  outermost  level  of  the  expression. 
Inspection  of  the  rules  of  PW  reveals  two  possible  sets  of  rules  which  could  be  used  for  this 
pMfpnst  The  first  one  is  the  34-rules,  in  particular,  Rule  (3)  of  PW:  however,  applying  this 
mil  in  Slcp(l)  will  yield  an  expression  identical  to  the  one  on  the  left  hand  side  which  is  not 
acceptable.  The  other  possibility  is  applying  the  rules  of  the  homomorphism  specification, 
it.,  either  Rule(l)  or  (2)  of  PW.  Rule  (1)  is  clearly  not  applicable.  Rule  (2)  is  also  not 
applicable.  A  closer  look,  however,  reveals  that  Enqueue(%(<v,  i,j>),  3G(e))  has  the  form  of 
dfet  expression  in  the  ehe-arm  of  the  conditional  expression  on  the  right  hand  side  of 


k 
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Rule  (2).  Hence,  we  make  an  attempt  to  expand  Enqueuc(DG(<v,  /,/>),  %(e))  to  an  expression 
of  the  form  ifjhen_else{...) ....  Enqucuc(3G(<v, p),  3G(e))).  The  manipulations  performed  in 
Steps  (2)  through  (4)  are  precisely  aimed  at  this. 

Form  of  synthesis  equation  to  be  derived:  DG<KNQUEUK<<  v,  4  y>,  <?)) 

Nonnal  form  of  DG<KNQUKU E(<  v,  i ,  j>,  c)):  Enqucuc{!)G(<  v,  i,  y>),  3G(e)) 

Rules  used  for  simplification: 

Step  (1)  Invoke  Synthesis  Rule  (1)  on  3G<ENQUF.UK«vt  4y>,  e)) 

DG<FNQU  KU  K(<  v,  i,p,  <>))  =  Knqueuc<3G(<v \i,p),%(e)) 

i  S 

Step  (2)  Expand  Expression:  EnqucucfDG^v,  4 y>),  3G(<>))  j  ] 

Using  Rule:  (4)  |  J 

. . . *  i  < 

DG<ENQUFUE(<v,  i,p,  e))  =  if  False  then  vl  else  F,nqucue<DG(<v,  i,p),  ’JG(e)) 


Step  (3)  Expand  Expression:  False 
Using  Rule:  (8) 

3G<FNQU FU K(<  v,  4  y>,  e))  =  if  -(True)  then  vl  else  F.nqucue(!)G(<v,  4 y>),  DG<c)) 


Step  (4)  Expand  Expression:  True 
Using  Rule:  (12) 

3G<ENQUEUE<<  v,  4y>,  e))  s  if  not(r  <y)  then  vl  else  Enqucuc<3G(<v,  4y>),  3G<e» 


Step  (5)  Expand  Expression:  ~(i  <,j) 

Using  Rule:  (7) 

3G<ENQUEUE<<  v,  4 P,  e))  s  if  i  =  j+ 1  then  vl  else  Enqucue(3G«v,  4 y»,  3G(e» 

Step  (6)  Expand  Expression:  if  i  =  j+ 1  then  vl  else  Enqueuc<3G<<v,  4 y>),  3G<e)) 

Using  Rule:  (2) 

DG<ENQUEUE<< v,  4  p,  e))  s  3G«Assigii(v,  e,J),  4y+l» 


A 


Note  that  the  right  hand  side  of  the  tost  theorem  in  the  above  scries  is 
such  that 

KNQLIKUK(<v,  i,j>,  c)  >~  <Assign(v,  e.j),  i,j+ 1> 

3(<Assign(v,  e,j),  ij+ 1>)  -»*  True 

Hence,  we  have  the  following  preliminary  implementation  for  ENQUEUE: 

ENQUEUE(<v,  e)  — *  <Assign(v,  e,j),  i,j+l> 

Let  us,  for  a  moment,  draw  the  attention  of  the  reader  back  to  steps  (2)  through  (4) 
in  the  above  derivation.  Their  aim  was  merely  to  expand  Enqucuc(DG(<v.  i,j>),  36(e))  to  a 
conditional  expression  that  had  the  former  expression  as  its  cise-ami.  The  purpose  of  such  a 
transformation  was  to  make  it  possible  to  apply  (for  expanding)  a  rewrite  rule  that  had  a 
conditional  expression  on  the  right  hand  side.  A  situation  such  as  this  is  encountered 
commonly  during  the  generation  of  theorems.  This  is  especially  so  when  the  rules  of  the 
input  specifications  have  conditional  expressions  in  them.  Hence  it  is  useful  to  extend  the 
definition  of  the  mechanism  expand  so  that  rewrite  rules  with  conditional  expressions  on  their 
right  hand  side  can  be  applied  directly  to  an  expression  that  is  not  a  conditional  expression. 
We  describe  die  extension  below,  in  future  illustrations  of  the  derivation  of  synthesis 
equations,  we  will  be  using  the  extended  version  of  expand. 

Suppose  e,  -*  if_then_else(b,  e2,,  e22)  is  a  rewrite  rule,  and  a  is  an  expression  that  is 
being  expanded  by  using  the  former  rule.  According  to  the  existing  definition  of  expand,  the 
following  protocol  is  used  for  expanding  a : 

Protocol  I: 

(1)  Check  if  a  (or  a  subexpression  in  it)  is  unifiable  with  if_then_else(b.  e21,  e22);  if  so, 
let  0  be  the  most  general  unifier. 

(2)  Replace  0(a)  (or  the  subexpression  in  it)  by  d(e2) 

Note  that  according  to  the  above  protocol  a  is  cxpandible  only  if  a  (or  a  subexpression  in  it) 
is  of  the  form  lf_then_ebe(...).  Now,  we  introduce  two  additional  ways  in  which  the  rule  can 
be  used  for  expansion. 

Protocol  2: 
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(1)  Check  if  a  (or  a  subexpression  in  it)  is  uniftable  with  e21;  if  so.  let  0  be  the  most 
general  unifier. 

(2)  Check  if  0(b)  -*  True,  or  ~(0(b)) False. 

(3)  If  so.  replace  0(a)  (or  a  subexpression  in  it)  by  0(ej). 

Protocol  3: 

(1)  Check  if  a  (or  a  subexpression  in  it)  is  uniftable  with  e22;  if  so,  let  $  be  the  most 
general  unifier. 

(2)  Check  if  0(b)  -*  False,  or  -(0(b))  -*  True. 

(3)  If  so.  replace  0(«)  (or  a  subexpression  in  it)  by  0(e,). 

Using  Protocol  3.  the  preliminary  implementation  of  Enqueue  derived  earlier  can  be 
obtained  in  just  two  steps  as  shown  below.  The  theorem  in  step  (1)  is  obtained  as  before.  The 
theorem  in  the  second  step  is  obtained  by  using  Rule  (2)  of  PW  for  expansion  under 
protocol  (3).  Note  that  the  boolean  expression  under  consideration  is  i  =  j+ 1; 
i  =  j+ 1  -»*  False  by  Rules  (7).  (12)  and  (8). 

Form  of  synthesis  equation  to  be  derived:  36(ENQUF.UE(<  v,  4  />,  e)) 

Normal  form  of  DG(ENQUEUK(<  v,  4  j>,  e)):  Enqucuc(36(<  v,  4 ;)),  3G(r)) 

Rules  used  for  simplification: 

Step  (1)  Invoke  Syntlicsis  Rule  (1)  on  36(F.NQUF,UE(<  v,  i,p,  e )) 

3t(ENQUEU  E(<  v,  4  y>,  e))  a  Enqucnc(K(<v,  i,j>),  M(e)) 

Step  (2)  Expand:  Occurrence:  \ 

Expression:  Enqueue(3€(< v,  4/>),  36(e)) 

Using  Rule:  (2),  Protocol  3 

36(ENQUEUE«v,  4/>.  e))  a  3€(<Assign(v,  e.;).  4/+l» 

It  should  be  pointed  that  the  addition  of  protocols  (2)  and  (3)  does  not  enhance  the 
generality  of  the  original  definition  of  expand.  In  other  words,  we  can  show  the  following: 


Suppose  0  can  be  obtained  from  a  in  a  finite  number  of  expansion  steps  using  a  rewriting 
system  R  under  protocols  (1).  (2)  and  (3).  Then.  0  can  also  be  obtained  from  a  in  a  finite 
number  of  expansion  steps  using  only  protocol  (1).  provided  R  contains  the  following  rules 
that  specify  if_thcn_else: 

if_thcn_clsc(Tnie,  v(,  »2)  vf 
if_thcn_elsc{False,  vJt  v2)  -*  v2 

The  reason  for  introducing  protocols  (2)  and  (3)  is  to  redute  the  number  of 
expansion  steps  needed  in  the  generation  of  theorems.  The  two  rules  of  if_thcn_ckc  given 
above  make  expansion  uneconomical  because  the  right  hand  side  of  each  of  them  is  a 
variable.  This  makes  each  of  them  a  candidate  for  being  used  for  expansion  at  every  step  of 
the  theorem  generation  process.  Use  of  protocols  (2)  and  (3)  in  effect  limits  the  use  of  the 
above  two  rules  to  eases  where  there  is  a  rewrite  rule  with  an  if_thcn_elsc  in  its  right  hand 
side,  and  which  could  be  used  for  further  expansion. 

5.3.2  More  on  the  Temporary  World 

5J.2.I  The  Purpose  of  TW 

The  Temporary  World  ('IW)  serves  two  purposes:  Firstly,  it  holds  information 
about  the  invariant  3.  Secondly,  it  provides  a  means  of  keeping  a  log  of  certain  assertions  that 
arc  needed  for  temporary  stretches  during  the  course  of  the  derivation  of  an  preliminary 
implementation.  Some  of  these  assertions  are  generated  automatically  by  the  procedure; 
others  are  supplied  by  the  user. 

The  information  about  3  and  the  assertions  arc  entered  into  TW  as  rewrite  rules. 
(The  derivation  procedure  may  use  the  rules  in  TW  for  expansion  like  the  rules  of  PW.  the 
Perturbed  World.)  The  assertions  needed  may  change  during  the  course  of  the  derivation  of  a 
preliminary  implementation.  Some  of  the  assertions  needed  can  only  be  determined  during 
the  course  of  the  derivation.  Because  of  these  reasons,  TW  is  treated  as  a  dynamic  world,  i.e., 
a  world  that  changes  during  the  course  of  the  derivation  of  a  preliminary  implementation.  In 
contrast.  PW  keeps  a  log  of  the  facts  needed  through  the  derivation  of  the  entire  preliminary 
implementation. 


There  are  three  reasons  why  temporary  assertions  might  be  needed  during  the 
derivation.  Firstly,  the  equation  XfKg,. ....  gj)  ■  X<7t)  being  searched  for  is  a  theorem  of 
PW  only  under  the  hypothesis  that  the  arguments  to  F  satisfy  3.  Ihc  second  reason  arises  in 
checking  if  Trhs  satisfies  3.  i.e..  if  3(7rhs)  ■  True  is  a  theorem.  This  check  has  to  be 
performed  under  the  hypothesis  that  the  arguments  to  F  satisfy  J.  A  ho.  performing  this 
check  may  need  the  use  of  the  inductive  logic.  In  such  a  case,  it  is  necessary  to  set  up 
appropriate  hypotheses  for  the  induction. 

'Ihc  third  reason  for  the  need  for  assetions  arises  while  one  is  attempting  to  expand 
a  subexpression  of  a  conditional  expression  tf_thea_che(b.  e,.  e2).  Under  such  a  situation,  we 
may  assume  that  k  is  False  while  expanding  a  subexpression  in  the  chc-ann.  or  that  b  is  True 
while  expanding  a  subexpression  in  the  then-arm.  For  instance,  consider  the  expression 
Ujkcn.ekcii" j  *  l.e2.  Enqucuc<X«v.  i.j>).Mt,))Y  In  this  case,  the  subexpresrion 
Fjm|ikuc<3M<  v.  i. p).  Xfe,))  is  cxpandible  by  the  rewrite  rule 
%(<Assiga (».  e.  j).  i.  j+ 1>)  If  I  *  J+  1  thee  NnHgehe  Eaqme(X<<v.  t  J>).  X(e» 

only  if  we  make  the  hypothesis  that  /  w  ;+  1  Fabe. 

5J.12  Construction  of  TW 

TW  consists  of  two  parts:  A  static  part,  and  a  dynamic  pan.  The  sulk  part  remains 
unchanged  for  the  entire  duration  of  the  derivation  of  the  preliminary  implementation.  The 
dynamic  part  may  change  during  the  derivation. 

5.3.2.11  The  Stalk  Part 

The  static  part  consists  of  information  about  the  invariant  3.  It  consists  of 

(1)  A  set  of  rewrite  rules  that  constitute  the  specification  of  3.  The  specification  of  3 
involves  other  data  types  which  are  among  the  implementing  types.  We  mime  that 
the  static  part  contains  their  specifications  a  bo.  In  the  examples  we  discus,  only  the 
relevant  rules  from  these  specifications  are  displayed. 


Ill* 


(2)  A  set  of  rewrite  rules  that  eiprcn  adchuorul  propones  about  5. 

lhc  mriK  rales  mentioned  in  (!).  above,  can  be  constructed  jutonut tally  Atm 
the  Mocmion  specification-  The  information  in  (2)  is  something  the  user  has  the  option  of 
tupph'n*  addttionalty  for  denting  a  preliminary  imptanentation  in  the  presence  of  • 
nontntul  msanani  This  information  is  needed  for  (he  foMowing  reawn  There  are  several 
preliminary  implementation*  who*  demotion  it  dependent  on  lemmas  that  ctpreas 
interesting  properties  about  the  bnariant  Although  it  might  be  possible  to  prove  these 
lemmas  from  the  specification  of  J.  the  dentation  procedure  annul  outunut ratty  discover 
the  desired  lemma.  The  rewrite  rales  m  (2)  specify  these  lemmas. 

The  italic  port  ofTW  used  for  the  cut  rent  ctample  h  given  bdow  Rules  ( Hand  (2) 
are  constructed  from  the  specification  of  J  ghen  as  pan  of  the  awociauon  specification  in 
Fig.  15.  Notice  that  the  right  hand  ode  of  rule  (2)  H  a  simplified  version  of  the  fight  hand 
side  of  the  cucrcsfwnding  equation  of  the  specification  of  I.  The  rales  used  In  the 
simplification  arc  (10).  (II).  (8).  and  (4).  Rule  (3)  specifies  a  prapeny  of  J  It  awem  that  if  a 
triple  <v.  I  J>  satisfies  J.  then  The  prapeny  can  be  prosed  from  the  specification  of  J 
using  the  KfMnethod.  Rules (4)  through  (11)  belong  to  the  specification  Integer  and  Baal 
These  rales  will  be  used  in  the  examples  that  fottow. 

(I)  R<*.  ID)  — Tree 

(2t  *< e.  0.  Li+ 1»  -  I  S 1  + 1  A  R  *  J+ 1  V  l«v.  LpH 

(3)  R<».  Ip)  ••  I  £  J  —  Tm» 

W»*|Vs£j-.tJ| 

(5)  Tm»  Vs  -  Tret 

(4)  —*  V  i  — •  True 

(7)  HsAj)-*-i  V  -y 
|lHV(yAi)-(,V»A(sVi) 

(4)(*  Ay)wy-» Trar 

(10)  rf.thcn_chnV  Tm*.  e,)  —  h  V  «, 

(II)  if.thcn_chc(V  «,.  Prim)  —  I A  «, 


IU 


9JL1X2  lkrl))awk  pat 

fh*»  » ihe  pin  iha  mn  riungr  iWn|  ihe  damn  of  (he  dcmwua  of «  pdmonary 
wpknwoiMt  It  msn  »ary  fro*  (he  doMUoi  of  oae  wk  of  *e  (Mtawy 
HpknwibiMi  u  jourhev  ««!■  ihr  drmjuaa  of  a  tangle  rale,  a  «*a»  vary  (km  om 
theorem  genet  JtMi  (Kp  to  he  aru  h»  a  theorem  gacniM  ta«p.  we  mean  die  fcidoadng' 
Reran  Uni  the  dcmmioa  da  rale  Mtohn  grwrrawtg  a  tenet  of  hwm  the  genera  toa 
o f  (ten  theorem  n  the  wnn  k  (ONduni  *  a  hcotta  generatan  dtp  ta  dir  dert  vacua  of 
(he  rale 

the  dyrkantc  pm  *  empy  ai  da  tnsgmemg  of  (he  demaua  of  nay  rale  of  Ihe 
inpkMttHfcin  derflamon  Aamnkm  (a  ihe  fcm  of  frame  rain)  air  added  id  and 
renamed  front  ihe  dynamic  pm  a  tpcfk  ntlaan  dating  die  dertnUra  of  a  rale  faery 
jMCfttae  tha  n  rxJdnJ  during  (he  dert*****  of  a  rale  n  removed  b»  (hr  end  of  the  demaioa 
F  tcf>  tanc  an  jMcrtioa  *  added  id  TW. «  h  important  lo  a«run  th*  die  wfcfcoon  data  noi 

FCRtiMCe  I  W  InCtllVPnCMi  I O  eWHia  ^PRUCrai^*  *C  mW  IWa  ^fvONuHa 

h  an  ladbelhe  Ihnni  if**  (set  sec44  )  ?)on  TW  every  date  m  Mimrtkim  h  added  to  TW 
(Mole  Uka  TW  n  convergem  id  begin  Hk  Thh  h  became  he  ear  pan.  which  comrtm  of 
ihe  spccifkariort  of  J.  h  gauramecd  lo  be  convergent  )  The  maewicin  h  added  only  f  die 

|q  SDIRC  €W6ft  ^ 

woted  by  generating  a  Anhe  raanber  of  new  antrtlun*.  In  mtol  nraaiioni  M I  mM  •» 
add  these  new  mndoni  aho  to  TW.  tf  these  —art  rows  are,  indeed,  added  lo  TW,  dm  tfiey 
should  aho  be  icmottd  dong  wttb  the  original  — mion 

IM  MlwM  HI  OK  U)M1K  pflfl  CM  DC  CUM  lie <3  VNO  W)  ONCRCXiCft  MM  OM  IRC 

Me  time  of  their  ttiiMKi  We  dnctibi  die  curairaciioa  of  da  two  caiegortei  below. 

These  anertiooj  at  added  at  the  beginning  of  die  derivation  of  a  rale.  They  remain 

21  We  aaumt  iha  da  ptdime  li  aa  jndnrUrt  deennef  n  ran  nrehdy  •  ftwd  a  ember  of 
nmrs  tfur  a  fane. 


Ill 


m  II  «a«i  He  <ml  of  He  HnnttM  of  He  Me  oi  dw  mcmm 

Awcnjuan  hn^Mr  *<y  m  (tpw<W>  «*  Ac  ctf*v***m  mcyOod  at  mpmmtam 
to  Ha  wapgootOHi  tooafw  to  *toto  He  Mr  *  hmf  Anmd  It*  amuouc.  rf  Hr  mk 
htwj  tkffett)  a  al  ike  **»  U  -  *  H»  He  murmxm,  arc  H*»oMe**  am 

S(* r "  *  ^ 

A>pm»ni»  4wmM»  caw  ac  erf  hw  Ukk  IhrAMlMlIaKII  All,,.. 
wtkf«  t  fton* at  i«kt«) •  (1  »ilk tr»«*e  ndA  Ml,)  >  tror,  ...  to^I  -  ?me  Ik 
tm<$  to  «x«  iM  Hror  oaciwiw*  mi  tor  mxiitxj  «Mcmua*M0y 

tfcar  raawM  Had  <tmm  ct  mtmtm  Ho  me  rnff/mei  toy  He  men  TVs*  m  rnmt 
to  tmmmt  Hu*  c«t>  Mr  <4  He  tm**WMA  aopHoemiHioi  p*t«A»  He  m<mem  l, 

Alfu^i  *»  Ik*  oontorm  ctpti m  Hr  aHttw*  kiyMltam  Hu 

*****  N  mnktl  Mi  <fcc«Maf  He  Homy  fftfwlf  Ikr  apt**  Hie  He  ok*  too*  W 
wfH  Hm  aotmo  ii  Hr  Mb*«|  Kora*  Ho  am  unHnl  r*M**»  Hr  ohoHow 
prqpwm  bf  d«(hMf  mr> Mr Hgy.  IkM*  Irwr torHauwetnal  tt 

iMua*  Hu*  II  Hunt)  Hkltoto  *r»oae  Me*  mmnvm  Hi  ly  HW|  1J  M  He 
pretownury  aMptoiM«MLtow«  dcorw*  to  «atto  Hal  IPO  *  Vrar  am  he  pwwvJ  aeatrooMPy 
Una  tl  aaM|  He  tontotatodi  lifk  or  iU  K  to method  to  mmoif  *nHksk«  PM*orue»  Hon 
pp  jvmwmpapi  rMvtwvMi  jpv  mmm  rw*c*wf .  p  pi  prapppM")  •*^pcp*ctpw»pi  pmw  » 
hk*  Ho  He  pouf  of  tpltol  a  T«r  Mdi  HHtHH  MwOwo  to  cnom  tor  porwH 
oHaonofcatoy  toy  He  M  aaHml  Hto  oa*nta*»  npwwtoo  Hr  hHkHm  kyi*Hon  toe**  ao 
taaHMtofW 

in*  Mnoto  am  jb  omeetasN  NyfMoeem  m  jo  oh  eunpan  era  uMMnun  ay 
inaofciog  He  Htoeoce  to  pr**o  hto*  Ttor  Htotrac*  Mi  cafweom  a  peowai  totacttM 

■-  j _  —  A-  ~-_jH  0»_ .  * —  M  Ha*  |to| 

pwp  w  Pid  wm  mrnmmum  ovuivpi  >■  m  m  •h-iwpiqwi  pma  pimp|  ip  w 
eadtoctioo  hatartnatoy-  He  Mtoreoce  iak  ceo  hr  Heed  jn  fcHo*%  ^oppov  f^fy.  •  *  * « 

II  adN  nak  Ma|  toed  That  hi  vytoag  «o  onm  Xfttf* --- *  <**  oaayr  ooHUe 

*f(»r —  \»  to  ory  «f*MM  <♦,,....♦,>  Ho  ooUftaa  ).  od  to  h  Tea  Ho* 

<Cy  •  >  •  •  ^>  H  He  orHHtoi  > 

<»r ••  »«^>>  <V>  -V 
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to  4*  ******* M*.  M  *»  (UWIlKt  IWtdf  AjIpWMKMM*  AttCAMt*  trf  Ptf  tottMMi  tff  «  Mt 
1*  %mM)  ttv  *41  to  «Mf  tomr  tatmiw  tot*  «to*  **  tottoto  tor  towHmwaw  <tf  tot 
pwtooMM^i  iwtokitoiMu«M«  fet  UtlMJ  ^upp-wr  to  «*  itoiwfimip  *o  Jh«k  *  Mr  «tf  tot 
IbtomMt  ftjtto. 

MTI.MIHv  »r /„>. *to 

Ito*.  tot  tot»«wN(»  toMtoMM  mm  m toto  tot  toton^w^  ar**wr  Mr%  tto  tont  t«e 
,t»ttWM>>»  +m  too  tot  mjptmtim  totoai  *  XfTtSO  t  tto  tornl  iwdmm  *  «mo4 

W  M*  «*»>♦».  Wm»  hy|»toto 

V*,  *r  *  !• 

Vtotot*,  '  i'i  -  ttot 

H<»?  *?  I  WTIMJI**,  ^  «f  *j*P  -  ttot 

. . .  %  rntmm 

tto  wwtl  (Mft>  rtf  «HHkM  to  tot  l|*Mt  pan  to  tot 
C'Mtow***  ftp»wto*to  toMttotot  4  towi  tto  torn  toaowtom  «tot»  «totoc  eiptotom  « 
mtorrptrttoM  **  .Ktttoiito  tiftttotm  to  tot  ptogrttoto  to  tot mum  ttottoMtoiw 
*Mc«f  m»  tto  .4  tor  NpwMin  to  «  town—  fato****  to*.  toil  twtwml  m  tot  <mJ  to  tot 
top  tto  C nwntonatto  I  «T*toto»  Atattoto  tamtol  to  *  top  tot  totoWWl  to  tot 
W4HM  to  tot  mtoifttout  ton  A  itow  to  to  n<t«int  tor  p«to**mp  tot  totto  to 
tout  <ttp  f«t  tototot.  Mptoto  tot  Ptomtol  A  tot  toanm  pewtotoi  to  tot  top  «p 
toAtotoMittoitoto  MtIMI 

wmkOKvv^o^v^  v  *,♦  »t 

•  tf.ton.tfttp,  •  »,»l  ItpiwWWttWv 
Stpptm  ««  totfto  to  (KMUM  tot  toww  to  top  12)  to  «ptoip§  toe  totetotMtoa 
Wm^yy^,<»fy/|)>toto(toi>toto«ttotoMtototo»m  11m, 
to  tut)  *M  to  fto  tot  ttotoim  i,  •  #,  *  I  —  Pitot  Ito  toMtotoi  totolto  tot  titofloa  to 
ton  jMtntot  tortM  to  toptoto  to  mfm  tto  wtortpuimtot  Jtawt  tor  np—towi  tppttt i 

^  .  --  <\‘  {  s>  |  J^| 

Ito  p^W  CW  «i  ^ 

top  <y  —  totot  t— tat  ton  tot  «ai«pmNto|  total—  ttpaatoto  to  *Ptot  to  § met*,  to 
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mm  turn*  ttf  «ft#  mm  tow*  *m  w»*  —iiiwwd  id  *  *9  Imumm*  Hit  totvwftoWMN  *mM  *w 
amknkmd  mutmrn  mum  mam  mm  ttu^m iu«W  tmmmmmtm  Tmmm&ut  m  ik  tor  wtomwoMcwi 
cHhmnd  to  few  «»fumte«l  TWi  tor  i'uwdhn.im#  t  tfmmmem  Ammmm  to*  tor  *rp  mv 
toWWNWkl  W  fatoMWi 

tO  l«  «v^»y  *<WI»to(WHHl  WtfMWWMolD  tf.JtotL.itotog  j*  .  .  J|  *4f  rMtMNF  top*  NWM  •  4k  ft 

to*,  *wi^  »  9m 

I*)  Iwd  mu  «mM>tomiwi niwwwrw  Ctoto,KMH>^  ...  ..* .  %  *i  *M<m  <tor  mm  •  *  « 
•Mto  nMkj  >hlw 


iU 


fto*  ******<  m#»*%  *  ***  <><f  «**wto»w**  <mwtoMto  <***mi*i*4*%  **  mm  »m*  mpmmm 
**fc<t  m  tto|  fttWNU#  (totoWtWW*  ilWfDmuiWUlkMk  tow  to  tow  MTtVt  fc  tokHMtWUW  •  «MH 

ft  to^w  3M  JLyDg.^^^|  <gt  j^to  to^w 

IM^H9  fto  tonWitoow  tow  towmiww.iww  tom  i  wtowt  ototomi  am-  In  >im»i*mub<  *m 

.  to^^wll^ft^^wto^toto  jiMftJLtftotoiitok^w  ^wttwD  J*  (tow  w^m 

*  to  to^toP^Pto  1^*  toito  wito 

Awp-  Jt  Aw  fltftoitfc  to#  AMMtaybitMlA  Afe  tomato*  tflsMMU^B  AHtt  Ato  AlttlbllftilMtt% 

•  '  wwm^  'WWW  ■  ■  WT  'F^rVW^WWm  ^W^B  W«B ■  ■  ■  ^Um '  ^  (^F-T»jM*p»rFH»»  ^ 

iWfUwumMto  w  Itototo*  to  ton  ton  tor  IwmuBvn  <*  tot  atmmmm  tow  •  |»nltotow> 
toftotomtotow  dmm  to*  *****  iwy  toto**  town***  <*  towrNi*  «*  tor  Datorwwito** 
W ft®  $1*  ;  W*  ^  id  ^  d^^^r*ww3Wfik  rtf  *  ***r 


Irw  tototo*.  mfttowt  *•  «*to  to  wtofttoti  *  ttoto  wtoif  tot  mmm^tmumm  <0  tot 
>tto  (totol  to  tffli$B>t«r  y  |y>.  Iky.  y^$  *  torn*  wiMM'wt-1  toiitoto *» to 4m to* 


(u^toKu^MmMJHvv^Xvv^ 
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m 


MM  •  Mv  MfMIMM  did  Rb  RMRd  dWMfBMWd  fc  <MmM  fcf  did  4  WkHP 

ts**  ■*“-■  fee  dhMbM  kn  ja  mmhim  aMuykil  **  aar  M  «ae  Mm 

Hf>Hnf  MpfMHMMI  df  (Nf  t*9*f  %M'  VfeNk  dlNIMWMRod  <MI  dM  (v  fHfffMMMtf  rmmmimmiII^ 


*******  w*»  wtMMMcvdf  *  *  «M  j «  dv  *m  m$*mm  m  d*  m> w*  mww  »»  dw 
HMliawwg  rifnwwnw*  NMMffIXIK  *r  V  ^  W  ^  d*»**d;UTIMlK*r  y  ^ 
<W^  tMUlflMIHv  V  ^  S  V  ^  1111111  M’  (M  m 


***** i) 


tdM».  W*  dd<W  IfMl «  MR 


Ml  9  id  hmmm  n*w  mm  »•  m0k  upa 

HU  »  M4MMJMI**  dMMMI  dfdd  MdtRdMdEdtdfu^Plty, ,, ,,^1.^ 


•  •  ^n>  - 


ng^Ui#dw<ii#>Wi 

«5Z?u3r3W?u?i 
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mm*  *  MM*  MfMMMt  A  l>  <«.  <  ^  iffiW*,.  y.  /,>. 

ty  y  h>u  mm  ««m*|  top)'"*—  *»  tfctoarj*  mm  <w  Ik  rt#mtad,  ant*.  to* 

*m  m*  to*  mm*  mm  »»  ctmmtonl  N  to*  tow**  to*  mum*,.  <k  <fi  mm  mi  t* 

m0wh»i*  IW  to  Nt;iww*  hk  hkwm  wtonmnw  to  IMkkt  jfc  lw»fc«  Ir  *  mule  wfiawwwmhtdr 
to  JU»  4«o*  mm**  ww  ip  towMf  «  nmKamtoml  cifKWWtoo  »  «  ft«n  <4  tow  *x*md 

■  totf  JUK^j  h^Ak^M  ^^WyVil^tok  uA^Li 

p'ttfMfHtoHi  toto»»fN*toitoi  tof  «  itovw  rifmnwun  t'\ammtr*  m*  «*m»f4r  |?*viw  tomu 
NffM*  #»  to»*tor  *»  >Kpwm<lwp  toto  riptwuftim  tl>m<4,<f4l<,/»  l>  IW  inmNWito.  »,  i 
mM  >  to  toto  **»N*toto  to*  «*vto  torn  <tii>*  «im  a»  »  #**«  tbtofc*  tom  lfHMK<Y  y 
yj.  <y  y  y>l  to  iWt *#Ky  yy>„  *V  V yHtototwto *"* tor  to**  tow*  HMWMHCy 
y  y>.  ly  y  ,\>to  *  In*  IN*  **  mm  mmmhn  tot*  to<t  v  .'/II 4*  tow  Ink  *  few®  «w  tote 
♦NnhOni  to*  *•**  topKHNw  •»  tow  «•*•*>  rift*®  m  tw  mm***"***  mm  to  fgwwrto 

iJNa  to^  _^to  ^  m 

to  ^1  to^to  ^P  M^to  ^P  toW 

d  ^NtoNKtiilto  *Nim  HiUmJIi  iN  n^  jja^JLim  >s4t  f  jtoNlM^itoU  totoa-^M M  jf  V^*to  K  .  ^  IKiIiiNm  1m 

* Wto  to^to  to  ^to®  ^^^MPtoNtoP  f  9  p  to  *CV 

iMMMtoto.  4  **  ♦%fTUHH|C*r  y  y>.  <y  y  ^  *  tw  to  *  to***®**  <to  IIP  ton*  ««  toM® 
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whcreO,  Up  is  .\PPKND(<i|t  <vv  ivjt>)) 

Step  (5)  Transform:  Occurrence: 

Using  Rule:  where- rule  (2) 


3G(APPKNI)(<  v)t  <Assign( e^jj,  V >,+  !>))  a 

if_then_clse(/l  =  j2+\,  3G(<  v(.  3G(<Assign(v,  e^j),  i,j+ 1>)) 
where  <v,  i \p  is  APPEND^,.  irjt>) 

Stcp(6)  Expand:  Occurrence:  A 
Using  Rule:  (4) 

3G(API»KNIH<  v,.  VA>-  <Assign(i>j,  a 

3G(if_then_clsc(f1  =  jt  +  1.  <v,.  <Assign(v.  c2,y),  Uj+  !>)) 
where  <v,  /,y>  is  APPENI)(<  v(,  <»j. 

APPKNI)(< r,  /ry;>, <  Assign^,  /,.j,,+  1>> “* 

if  'j  =  7j  + 1  then  <vt, /,,>,> 

else  <Assign(v,  erj),  i,  j+ 1>  where  <v,  UP  is  APPF.NI)(<  vr  /,../,>) 

Definition  of  APPEND 

APPEND^-.  <vr  it,  it>)  -  <V|,  it,jf> 

APPENIH<v,.  <Assign(Vj,  e^jj,  f  l>)-» 
if =  7j+l  then<vr  it,jx> 

elsc<Assign(v,  erj),  Uj+ 1>  where  <v,  UP  is  APPEND^,  <*’J> 


6.  Stage  2:  The  Target  Implementation 


The  second  stage  of  the  synthesis  procedure  transforms  the  preliminary 
implementation  of  the  implemented  type  into  a  target  implementation.  For  instance,  in  the 
example  implementing  Queuejnt  in  terms  of  Circ_List,  the  preliminary  implementation 
derived  in  the  last  chapter  (shown  Fig.  5  of  chapter  2)  is  transformed  into  a  target 
implementation  such  as  the  one  shown  in  Fig.  0. 

There  are  two  differences  between  a  preliminary  implementation  and  a  target 
implementation.  The  first  one  is  that  in  a  preliminary  implementation  the  only  operations  of 
the  representation  type  allowed  to  appear  are  the  generators  of  the  type.  The  target 
implementation  may  also  contain  nongenerators  of  the  type.  The  second  difference  is  in  the 
function  definition  methods  used  by  the  two  forms  of  implementation.  In  a  preliminary 
implementation  a  function  is  defined  by  means  of  a  set  of  rewrite  rules.  For  example  the 
preliminary  implementation  of  ENQUEUE  (Fig.  5)  is: 

ENQU  EU  E(Crcatc,  j)  -» lnscit(Crcate,  j) 

ENQUEUE(lnsert(c,  i),  j)  -  lnsert(ENQUEUE(c,  j),  i) 

In  a  target  implementation  a  function  is  defined  by  means  of  a  single  expression.  For 
example,  ENQUEUE  is  defined  as:  ENQUEUE(d.  k)  ::=  Rotatc(lnsert(d,  k)).  The 
transformation  performed  takes  into  consideration  both  of  these  differences. 

It  should  be  noted  that  a  preliminary  implementation  is  an  executable 


Fig.  18.  An  Implementation 
NULLO0 ::  =  Create!) 

ENQUEUED,  j) ::  =  Rotate(lnsert(c,  ])) 

FRONT(c)  r:  =  Value(c) 

DEQUEUE(c) ::  =  Remove(c) 

APPENDlc,  d) ::  =  Joinld,  c) 

SIZE(c) ::  =  if  Empty(c)  then  0 

else  SIZE(Removo(c)l  ♦  1 
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implcmentation.  It  can  be  executed  by  an  interpreter  that  simplifies  algebraic  expressions 
using  the  rewrite  rules  in  the  preliminary  implementation  and  the  specifications  of  the 
implementing  types.  The  interpreter  must  have  a  pattern  matching  capability  to  invoke  the 
appropriate  rewrite  rule  while  simplifying  an  expression.  The  program  verification  system 
AFFIRM  [39],  and  the  programming  system  PROLOG  [??]  provide  such  an  interpreter. 
Given  the  specifications  of  all  the  implementing  types,  the  interpreter  can  execute  the 
preliminary  implementation  on  any  given  input.  For  example,  the  value  returned  by  the 
operation  (of  Qucuejnt)  Front  on  the  queue  constructed  by  Fnqiieue(Nullq,  I)  is  obtained 
by  finding  the  normal  form  of  FRONT(ENQUEUE(NULLQ( ),  I))  using  the  preliminary 
implementation: 'The  normal  form  is  I.  Depending  on  the  range  type  of  the  operation,  the 
normal  form  can,  in  general,  be  a  generator  constant  of  any  of  the  implementing  types.  The 
nonnal  form  can  then  be  evaluated  assuming  there  exist  implementations  for  the 
implementing  types. 

Our  goal  is  to  derive  the  target  implementation  in  a  form  that  can  be  compiled  by  a 
compiler  for  an  applicative  language.  The  motivation  for  this  is  primarily  one  of  efficiency. 
There  are  two  reasons  why  a  target  implementation  is  more  efficient  than  a  preliminary 
implementation.  The  first  one  arises  because  of  the  freedom  to  use  nongenerators  of  the 
representation  type  in  a  target  implementation.  This  enables  one,  in  some  instances,  to 
eliminate  recursion  from  the  preliminary  implementation  of  an  operation,  and  to  transform  it 
into  a  target  implementation  which  is  merely  a  composition  of  the  operations  of  the 
implementing  types.  The  implementation  of  ENQUEUE  shown  above  is  an  instance  of  such 
a  situation.  The  use  of  the  operation  Rotate  in  the  target  implementation  eliminates  the 
recursion  which  was  essential  in  the  preliminary  implementation.  The  second  reason  is  that 
an  implementation  that  can  be  compiled  by  means  of  a  conventional  compiler  is  in  general 
more  efficient  than  interpreting  a  set  of  rewrite  rules. 

We  develop  two  methods  of  deriving  a  target  implementation  from  a  preliminary 
implementation:  The  Recursion  Preserving  Method,  and  the  Recursion  Eliminating  Method. 
Both  the  methods  are  based  upon  expansion  using  rewrite  rules.  The  target  implementations 
derived  by  the  first  method  preserve  any  recursion  that  may  exist  in  the  corresponding 
preliminary  implementations.  The  second  method  can  eliminate  recursion  from  a 
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preliminary  implementation  of  an  operation  if  there  exists  a  nonrccursive  implementation  for 
the  operation.  The  second  method  is  more  general  because  it  can  also  derive  the 
implementations  derived  by  the  first  method.  The  advantage  of  the  first  method  is  that  it  is, 
in  general,  faster  than  the  second  in  situations  where  the  two  methods  derive  the  same  target 
implementation. 

6.1  The  Recursion  Preserving  Method 

(  his  method  uses  a  special  set  of  functions,  called  the  inverting  /unctions,  on  the 
implementing  types  for  transfonning  a  preliminary  implementation  into  a  target 
implementation.  To  understand  what  inverting  functions  arc  and  how  they  are  useful  in 
deriving  a  target  implementation,  let  us  take  a  closer  look  at  the  difference  in  the  function 
definition  methods  used  by  the  two  forms  of  implementation.  The  preliminary 
implementation  for  SIZE  is 

SIZE(Creatc)  0 

SIZE(lnscrt(c,i))  -  SIZE(c)  +  I, 

and  a  possible  target  implementation  for  it  is 

SlZE(d) ::  =  if  Empty(d)  then  0 

else  SlZE(Rcmove(d))  +  1. 

In  the  preliminary  implementation,  the  argument  to  SIZE  on  the  left  hand  side  of  a 
rule  may  be  a  generator  expression.  The  argument  indicates  the  structure  of  the  expression 
that  constructs  the  values  for  which  the  rewrite  rule  is  applicable.  This  freedom  serves  two 
purposes  in  a  preliminary  implementation.  Firstly,  it  is  used  for  performing  a  case  analysis 
based  on  the  structure  of  the  argument  Secondly,  the  explicit  indication  of  the  structure  of 
the  arguments  on  the  left  hand  side  makes  the  decomposition  of  the  arguments  trivial.  For 
instance,  in  the  second  rewrite  rule  for  SIZE  the  variable  c  used  on  the  right  hand  side  is 
actually  a  component  of  the  argument  to  SIZE.  We  were  able  to  access  this  component 
without  actually  having  to  generate  code  to  decompose  the  argument 

In  a  target  implementation,  the  argument  to  SIZE  on  the  left  hand  side  of  the 


definition  is  a  variable.  This  means  that  the  expression  on  the  right  hand  side  of  the 
definition  must  have  explicit  pieces  of  "code"  to  perform  the  case  analysis  based  on  the 
structure  of  the  argument,  and  to  decompose  the  argument.  For  instance,  in  the  target 
implementation  of  SIZE  given  above,  the  subexpression  Removc(d)  extracts  the  component 
of  the  argument  d  that  is  denoted  by  the  variable  c  in  the  preliminary  implementation.  The 
subexpression  Empty(d)  checks  if  d  is  a  value  constructed  by  Create;  the  if_thcn_elsc 
expression  performs  the  desired  case  analysis.  Let  us  call  the  subexpressions  that  perform 
these  functions  mentioned  above  inverting  expressions. 

A  preliminary  implementation  can  be  systematically  transformed  into  a  target 
implementation  if  the  inverting  expressions  can  be  generated  automatically.  The  inverting 
functions  of  the  implementing  types  serve  precisely  this  purpose.  For  instance,  in  the  above 
example  Remove  and  Empty  arc  two  of  the  inverting  functions  for  CircJJst.  The  inverting 
expressions  can  be  automatically  derived  in  terms  of  the  inverting  functions.  Thus,  the 
transformation  of  a  preliminary  implementation  into  a  target  implementation  according  to 
this  method  consists  of  two  steps:  First,  determine  the  inverting  expressions  in  terms  of  the 
inverting  functions;  second,  derive  implementations  for  the  inverting  functions  in  terms  of 
the  operations  of  the  implementing  types.  The  two  subsections  to  follow  describe  the  two 
steps. 

6.1.1  Inverting  Functions  and  Inverting  Expressions 

Inverting  functions*3  of  a  data  type  are  a  family  of  functions  on  the  type  that  are 
inter-related  in  a  special  way.  Inverting  functions  are  defined  with  respect  to  a  basis  of  the 
type.  The  relationship  among  the  inverting  functions  of  a  family  is  such  that  the  functions 
can  be  used  to  algorithmically  invert  the  process  of  constructing  a  value  from  the  generators 
of  the  type.  In  other  words,  it  is  possible  to  construct  algorithmically  the  inverting 

23.  Inverting  functions  are  related  to  distinguished  functions  defined  in  (24).  A  family  of  inverting 
functions  for  a  data  type  can  also  serve  as  a  family  of  distinguished  functions.  The  reverse  implication 
is  not  true  in  general.  In  (24]  distinguished  functions  are  used  to  formalize  the  expressive  power  of  a 
data  type. 
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expressions  as  a  composition  of  appropriate  inverting  functions.  The  inverting  expressions 
perform  the  following  functions: 

(1)  Given  a  variable  v  and  a  generator  expression  t,  check  if  the  value  denoted  by  v  can 
be  constructed  by  a  generator  expression  that  has  the  form  of  L  Since  an  inverting 
expression  that  performs  this  function  is  normally  a  boolean  expression,  we  call  it  a 
boolean  inverting  expression. 

(2)  Assuming  that  a  given  variable  v  denotes  a  value  that  is  constructed  by  an  expression 
that  has  the  form  of  a  given  generator  expression  t.  determine  the  various 
components  of  t  from  v.  We  call  an  inverting  expression  that  performs  this  function 
a  component  inverting  expression  since  it  extracts  a  component  of  a  generator 
expression. 

For  example,  the  operations  Remove.  Value,  and  ~<  Empty)  can  serve  as  a  family  of 
inverting  functions  for  Grc.UsL  This  is  because  the  inverting  expressions  for  any  generator 
expression  of  Clrc.List  can  be  automatically  constructed  from  these  operations.  For  instance, 
suppose  v  is  a  variable  of  type  Circ.Ust,  and  t  =*  lnscrt(lnsert(c,  I),  j)  is  the  generator 
expression  under  consideration.  The  following  are  some  of  the  inverting  expressions  for  t: 

(1)  Not(Empty(Rcinovc(v)»  is  a  boolean  inverting  expression  for  t  It  checks  if  v 
denotes  a  value  constructed  by  a  generator  expression  that  has  the  form  oft 

(2)  Some  of  the  component  inverting  expressions  of  t  are  Value(v)  which  extracts  j. 
Remove<Removc<v))  which  extracts  c.  and  Valuc(Removc(v))  which  extracts  L 

Let  us  now  formalize  the  properties  that  characterize  a  family  of  inverting  functions 
for  an  arbitrary  data  type.  We  express  the  properties  in  the  form  of  rewrite  rales.  The 
properties  are  such  that  they  do  not  necessarily  characterize  a  unique  set  of  functions.  This  is 
done  deliberately  to  offer  flexibility  in  choosing  an  implementation  for  the  inverting 
functions.  Inverting  functions  are  always  defined  with  respect  to  a  basis  for  the  data  type. 
Let  the  basis  for  the  data  type  be®«{v(| DO}.  Inverting  functions  can  be  classified  into 
two  categories:  the  component  inverting  functions  and  the  boolean  inverting  functions. 
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(!)  There  b  a  set  of  a  component  inverting  (unctions  (4, . associated  with  every 

generator  o(  in  the  basis  whose  arily  is  a.  They  arc  characterized  by  the  following 
property: 

•l(4|(«l(*|, •  •  •  •  r,)X •  •  •  •  4#(»((Vj, . . . , tj))) — •  ••••  *„) 

A  generator  whose  arily  is  zero  does  not  have  any  associated  component  inverting 
functions.  The  component  inverting  functions  associated  with  «t  factor  a  value 
constructed  by  o(.  They  return  the  arguments  used  by  e(  m  oomrructing  the  value. 
At  the  outset  it  may  appear  more  natural  to  characterise  the  component  inverting 
functions  as  follows:  d^a^v,, ....  v^))  -•  vf  The  problem  with  such  a 
characieri/aiion  is  that  it  may  result  in  ill-denned  component  inverting  functions  in 
situations  where  the  generators  can  be  used  in  more  than  one  way  to  construct  die 
same  value.  For  instance,  consider  the  basis  »  ■  (0, 1,  ♦ }  for  NslsnLNsnlm. 
If  d,  associated  with  +  is  defined  as  d,(*+ y)  -  a.  then  we  have  a  situation  where 
d((0+ 1)  «  0  and  d,(l +0)  ■  I.  This  will  conflict  with  the  rest  of  the  specification 
of  type  NatwaLNwnkers  which  should  allow  us  to  prove  that  (0+ 1)  ■  (I  +•) 

(2)  There  is  a  boolean  inverting  hi  net  ion  — ociated  with  every  generator  in  the  bads. 
The  boolean  inverting  function.  pr  utitud  with  a  generator  »(  returns  True  on 
values  that  can  be  constructed  by  a  generator  expression  that  has  the  form 

•j(v . .  So,  p(  b  characterized  by  p^(v)  -  *t(df(»X ....  4,(»))  -  ».  where  ■ 

b  the  equality  operation  on  the  type.  Thus,  the  recursion  preserving  method  in 
general  applies  only  when  each  of  the  implementing  types  has  the  equal  operation 
defined  on  it  A  simpler  character! cation,  which  applies  only  when  the  basis  is  such 
that  every  value  of  the  type  cm  be  constructed  uniquely  using  the  generators  b  as 
follows: 

P((o,(», . vj)  -  True, 

p ,(•/»,. .  •  • ,%))  -  Frtre  0  *  D 

The  basis  for  QrcJJrt  ill  *  {Create. Inert).  It  has  two  component  inverting 
functions  (d(  and  dj)  both  of  which  are  awxiated  with  Inert,  and  characterized  by 
InertfdjflnetKv,  i)X  d,(l»ert(?,  f)»  -» Inertfv,  IX  It  has  two  boolean  inverting  functions.  p( 
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and  Py  one  atfuttaicd  ««h  Create  and  (he  other  anuriaied  with  hwt  They  m 
cha/actcmcd  a»  foflow*  (Note  that  ihc  generators  of  CbejLhl  ate  u*h  that  every  diwhr  hta 
an  he  constructed  uniquely  « terms  of  (be  gmcralon) 

I^Onlrl  —  Tim 

^(lawnic,  0)  -*  Idw 

p^IntcfKc.  0)  -  Tim 
p^Crcsit)  -  Fikt 

Nothc  that  p%  and  pr  in  dm  cane,  ait  amptowm  of  cadi  other  So.  while  deriving 
tmplcmmuikim  for  the  wicnmg  function*.  we  impkment  only  pf;  pt  ft  obtained  as  a 
negation  off,. 

It  h  not  hard  to  see  how  a  preitntinary  tmplcmoiufcw  con  be  iraidonncd  into  a 
urge!  implementation  in  term  of  the  Uircnwg  functions  Rg.  19  fti-cs  a  general  procedure 
(hat  docs  it  for  an  arbitrary  par! armory  anptemenunow  In  the  Mowing.  wc  luitrjic  the 
procedure  on  the  pretaninafy  rmptemenunon  of  St/£  The  preliminary  implementation 
SIZE  consists  of  the  following  rewrite  roles. 

SI /.!.((  irate,  -  • 

SIZMImcrKc.O)  -  SIZEfc)  ♦  I 

Suppose  the  left  hand  tide  of  the  target  implementation  is  S/T(i)  The  etpresrion  on  (he 
right  hand  aide  is  a  nested  tf.ihen.ihe  espreMon  that  performs  a  one  analysis  There  h  a 
cue  corresponding  to  every  rewrite  role  in  (he  preliminary  implementation  In  the  promt 
caw  the  right  hand  side  would  have  the  following  form: 

tfb'theot, 

•he  If  h,  these, 

The  expressions  h,  and  e,  are  determined  from  the  flm  rewrite  role  using  the  inverting 
expressions  associated  with  the  generator  expression  thm  appears  as  the  argument  to  SIZE  on 
the  left  hand  side  of  the  rewrite  role  The  expressions  I,  and  e,  are  determined  wmilarty  ftom 
the  second  rewrite  rale.  We  will  describe  how  b,  and  e,  are  determined  since  drey  ere  more 
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I  hr  Um  tfmirtirm  Jwmnn  (hr  Ub««|  »  durum  k* i  f*  I  mpty  Nure  itui  this  function  jho  uthfkt 
the  urtn  «r»« m  ntkr  chmMWtum$  p|.  uwi)  ^(ImhK  tj|)  —  Kakw  IVcrelort,  p(  can  be 
-m  MM** 

-  *w**J<»l 

U  fk  ImniM  ^Mrnllai  MrtM 

Id  i*  wftxm*  •«  *t  deriving  a  Largct  implementation  for  an  implementing 
(immmi  I  fthiMc  pfd4iMir<i  wpkwcnimmi  oxtiMt  ofikcwof  rewrite  rules  given  below. 

* 

*i  ******  tit*  Ni  *m$k:  variable  function  for  convenience  The  general  description  of 
ilw  Mttfud  fmn  Mm  can  be  o tended  entity  to  a  multivariable  function  In  a  target 
**r*r mrMutin*  the  tw**n»m  I  tt  ddintd  »  R*) ::  =  e.  where  %  t*  a  variable,  and  e  «  an 
op»rww>  awarwn  t  and  any  of  the  fohowing  function  symbols: 

111  <1p«r*K«n  of  the  wnphnnwring  typo 


(t)  the  fane  non  I.Ah.iIn 

Let  ns  denote  e  at  P|»l  where  f  is  tome  com  position  of  the  function  symbols  listed 
above  the  derivation  of  a  target  anptementatfon  consists  of  fading  a  suitable  P.  The 
itanputitioa  P  should  be  inch  that  the  function  defaed  by  F(r) ::  =  P(»)  hat  the  same 
behorior  mthe  one  dkfaed  by  die  set  of  rewrite  nilet  ghtst  above. 

To  char  at  retire  the  prubhrw  IbtmaBy.  we  define  the  following  concept.  A 
composition  P  mrufin  a  rewrite  rule  of  F  if  the  equation  obtained  by  substituting  P  for  F  on 
both  the  tides  of  the  rewrite  rule  is  a  theorem  of  the  rewriting  system  consisting  of  the 
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specifications  of  the  implemented  type  and  the  association  specification.  Note  that  the 
preliminary  implementation  did  not  exist  at  that  time.  Checking  if  a  candidate  for  f*  satisfies 
the  rewrite  rules  essentially  involves  checking  if  an  equation  is  a  theorem. 

Let  us  illustrate  the  method  on  the  derivation  of  the  target  implementation  for 
ENQUEUE  shown  earlier.  Ihe  preliminary  implementation  of  ENQUEUE  is  repeated 
below  for  case  of  reference. 

ENQUEUE(Creatc,  j)  -*  lnscrt(Crcate,  j) 

ENQU EU E(lnscrt(c,  i),  j)  -4  lnscrt(ENQUEUE(c,  j),  i) 

The  f*  to  be  derived  should  be  such  that  the  following  equations  are  theorems.  (Note  that  the 
equations  are  obtained  by  replacing  ENQUEUE  by  f*  in  the  rewrite  rules,  and  then 
interchanging  the  two  sides.  The  reason  for  interchanging  the  sides  will  be  explained  shortly.) 

(1)  lnscrt(Crcate,  j)  =  f*(Create,  j) 

(2)  lnscrt(f*(c,  j),  i)  =  f*(lnsert(c,  i),  j) 

We  use  equation  (1)  as  the  template  equation.  The  nature  of  our  synthesis  rules  imposes 
certain  restrictions  on  the  equations  that  can  be  used  as  template.  The  synthesis  rules  are 
formulated  to  generate  theorems  with  a  known  lefi  hand  side,  but  an  unknown  right  hand 
side.  So.  the  template  equation  should  be  such  that  the  unknown  entity  f*  appears  only  on 
the  right  hand  side.  In  equation  (2)  both  sides  are  unknown  since  I*  occurs  on  both  the  sides. 
This  was  also  the  reason  behind  interchanging  the  two  sides  of  the  rewrite  rules  while 
obtaining  the  above  equations.  Note  that  there  always  exists  at  least  one  equation  with  a 
known  right  hand  side.  This  corresponds  to  the  rewrite  rule  in  the  preliminary 
implementation  of  F  that  represents  the  basis  case. 

Shown  below  is  a  sequence  of  steps  that  generates  a  theorem  that  gives  rise  to  a 
target  implementation. 

Relevant  Rewrite  Rales  ased  for  Expansion 


(3)  RotatHCmte)  —  Create 

(4)  Rat  at  HI  merltC  rrrtt,  I))  -» lasrri(Create,  I) 

(3)  RatateOneriOascrHc,  Ilk  12))  -•  lasert(Rotate(laseft<c,  12)),  II) 


Form  of  the  theorem  to  be  generated:  lnscrt(Crcatc,  j)  =  f*(Crcate,  j) 
Nonna!  form  of  Insert  (Create,  j):  Jnscrt(C'reatc,  j) 

Rules  used  for  the  normal  form:  None 


Step  (1)  Invoke  Synthesis  Rule  (1)  on  Jnscrt(C reate,  j) 
lnscrt(C rente,  j)  =  lnscrl(Crcatc.  j) 


Step  (2)  '  .xpand  Uxpression:  !nsert(Crcatc,  j) 
Using  Rule:  (4) 


I  nscr  ((Create,  j)  =  Rotatc(lnscrt(Crcatc,  j) 

The  right  hand  side  of  the  last  theorem  generated  in  the  above  series  has  the  form  of 
f*(Create,  j),  and  hence  can  be  used  to  generate  a  set  of  candidate  compositions.  A  candidate 
composition  is  determined  from  three  expressions: 

(1)  the  left  hand  side  of  the  target  implementation,  say  F(vp . . . ,  v#) 

(2)  the  right  hand  side  of  the  theorem  generated,  say  a,  and 

(3)  the  right  hand  side  of  the  template  equation,  say  f*(g,, . . . ,  g^. 

It  is  obtained  by  replacing  zero  or  more  occurrences  of  gj,  for  every  1  <  i  <  n,  in  a  by  a 
variable  v^,  1  <  j  <  n.  The  replacement  of  g.  by  v.  is  made  so  that  type  consistency  is 
preserved. 

For  the  current  example,  the  left  hand  side  of  the  target  implementation  is 
ENQUEUE(d,  k)  ::=  ?;  the  right  hand  side  of  the  theorem  generated  is  Rotatc(lnsei1(Create, 
j):  the  right  hand  side  of  the  template  equation  is  f*(Create,  j).  So,  there  are  two  candidates 
for  f*(d,  k):  (1)  Rotatc(lnsert(d,  k»  and  (2)  Rotate(lnsert(Create,  k). 

The  second  candidate  does  not  satisfy  equation  (2).  The  equation  obtained  by 
replacing  f*  in  the  equation  by  the  candidate  is 
Insert(Rotate(lnsert(Create,j)),  i)s  Rotate(lnsert(Create,  j)).  This  is  not  a  theorem  of 
Circ_List  because  (for  every  I  and  j)  both  the  sides  of  the  equation  remain  simplified,  but  will 
not  be  identical.  (This  can  be  checked  by  Is-an-inductive-theorcm-of.) 
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Let  us  consider  the  first  candidate.  The  equation  obtained  by  substituting  it  for  I*  in 
equation  (2)  is  Rotate(lnscrt(lnscrt(c,  i),j))  =  Inscrt(Rotate(lnsert(c,j»,  i),  and  this  is  a 
theorem  of  CircJ.ist.  (The  left  hand  side  of  the  equation  reduces  to  the  right  hand  side  by 
the  rewrite  rule  (5).)  Hence  Rotatc(lnsert(d,  k))  satisfies  equation  (2).  The  second  candidate 
does  not  satisfy  equation  (2).  Hence  the  target  implementation  is: 

ENQUEUED,  k)::  =  Rotate(lnscrt(d,  k)) 

6.3  An  Illustration  of  a  Complete  Synthesis 

In  the  following,  we  illustrate  the  complete  synthesis,  i.e.,  an  illustration  of  both  the 
stages,  of  two  examples.  The  first  one  derives  a  target  implementation  for  the  operation 
Append  of  Qucucjnt  using  the  association  specification  that  specifies  the  Circ_Ltst 
representation.  The  second  example  derives  a  target  implementation  for  the  Front  using  the 
association  specification  that  specifies  the  <Array_Int  X  Integer  X  lnteger>  representation 
(see  chapter  5). 

Illustration  1 

Stage  I: 

Partial  Preliminary  Implementation  of  Append  at  Hand 

APPENDS,  Create)  —  Trhs, 

APPEND(c,  Inscrt(d,( ))  — *  Tills, 

Relevant  Rewrite  Rules  of  the  Perturbed  World 

(10)  Appcnd(q,  Nullq)  —» q 
(14)  3C(Crcate)  —  Nullq 

(20)  Dt(ENQUEUE(c,  0)  -*  Enqueuc(36(c),  36(i))}) 

(22)  3C(APPEND(c,  d))  -  Appcnd(36(c),  36(d)) 

Derivation  of  the  first  rewrite  rale 

Form  of  the  theorem  to  be  generated:  36(APPEND(c,  Create))  ■  K(7rh*|) 

Normal  form  of  36(APPEND(c,  Create)):  36(c) 

Rules  used  for  the  normal  form:  (22),  (14),  (10) 

Step  (1)  Invoke  Synthesis  Rule  (1)  on  36(APPEND(c,  Create)) 
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DG(APPENl)(c,  Create))  a  %(c) 

The  above  theorem  is  such  that  \PPKNh(f,  Create)  >-  c.  Therefore  the  desired  rewrite  rule  is: 
APPKNI)(c,  Create)  -*  c 

Derivation  of  the  second  rewrite  rule 

Form  of  the  theorem  to  be  generated:  3G(APPENlXc,  lnscrt(Crcate,  i)))  =  3G(?ihs9) 

Normal  form  of  3G(APPKNl)(c,  lnsert(Crcatc,  /))):  Enqucuc(3G(t),  3G(/)) 

Rules  used  for  tlic  normal  form: 

Step  (1)  Invoke  Synthesis  Rule  (1)  on  3G(APPKNI)(c,  I  nsert  (Create,  i))) 

3G(APPKNI)(c,  l»serl(Crcate,  /)))  =  Knqueuc(3G(f),  DG (/)) 


Step  (2)  F.xpand  Expression:  Enqueue(3G(c),  3G(/)) 

Using  Rule:  (10) 

3G(APPENl)(c,  lnscrt(Creatc,  /)))  =  Appcnd(F.nqiieue(3G(<),  %(;)),  Nullq) 

Step  (3)  Expand  Expression:  Nullq 
Using  Rule:  (14) 

3G(APPF.NI)(o,  Inscrt(Crcatc,  j)))  =  Appcnd(F,nqucue(3G(c),  3G(r)),  3G(Create)) 

Step  (4)  Expand  Expression:  Fnqucue(3G(c),  DG (/)) 

Using  Rule:  (20) 

DG(APPF.NIXe,  lnscrt(Crcate, /)))  =  Appcnd(3G(ENQllEUE(c,  ()),  3G(Crcate)) 

Step  (5)  Expand  Expression:  Appcnd(3G(ENQUEUE(c,  /)),  DG(Create)) 

Using  Rule:  (22) 


3G(APPENIXc,  Insert(Crcate,  i)»  a  3G(APPEND(ENQUEUE(c,  /),  Create)) 
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Stcp  (6)  Generalize  the  theorem  in  step  (5)  by  replacing  tire  constant 
Create  by  the  variable  d  to  obtain  the  following  equation: 
DG(APPKNI)(<\  Inscrt(d./ )))  s  3C(API>KNI)(KNQUKUI*Xe.  /),  a)) 

Apply  Is-an-iiiductive  theorem-of  on  the  above  equation. 

This  yields  True  confirming  that  the  equation  is  a  theorem. 


Hence  the  desired  rule  (obtained  by  dropping  DC  on  both  sides)  is: 

APPKNDfo  Insert (</,/))  -»  A PPKN l)(KNQU KUKfo  t%  4 


Stage  2: 

Preliminary  Implementation  at  Hand 

APPKNIHf,  Create)  — » c 

APPKNIHe,  Insert^/ ))  -»  A PPKN D( RNQUEU Rfo  /),  d) 

Desired  Form  of  Target  Implementation 

APPKN !)(»,,  »,)::=  ?? 

Relevant  Rules  of  Circ Jist 

(10)  Join(c,  Create)  -♦  c 

(11)  Join(c.  )nsert(d,  i))  -*  lnscrt( Join(c,  d),  0 

Template  Equation  Chosen:  c  s  APPENIXc  Create) 
Fonn  of  the  theorem  to  be  generated:  c  —  f*(c.  Create) 
Normal  form  of  c:  c 
Rules  used  for  the  normal  form:  None 

Step  (1)  Invoke  Synthesis  Rule  (1)  on  c 


i 

Step  (2)  Expand  Expression:  c  i 

Using  Rule:  (10) 

c  s  Join(c,  Create) 


Step  (3)  Find  a  suitable  candidate  composition. 


L 
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'!Tjc  right  hand  side  of  the  above  theorem  has  the  form  of  f*(c,  Create).  So,  find  a  suitable  candidate 
composition.  There  arc  two  possibilities:  (UJoinO,,  ¥a).  and  (2) Joinftj, »,)}.  The  second  candidate 
satisfies  the  second  rule  of  the  preliminary  implementation,  but  the  first  docs  not  So,  a  posable  target 
implementation  is: 

APPKNDfVj,  rt)  ::  =  Join(ra,  v() 
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Illustration  2 

Stage  1: 

Partial  Preliminary  Implementation  of  Appnt 

FRONT<<  v,  Trhs, 

FRONI'<<Assign<v.  e.  i),  4  i+ 1>)  — *  ?rhs4 
KRONT<<Assigii<Assign<r.rl.  Ji,  erj+ 1).  i,j+ 1>)  -*  Trhs, 

Relevant  Rewrite  Rules  of  the  Perturbed  World 

(1)  3G«*.  i,  i>)  — *  Nullq 

(2)  3G« Assignt*.  c.  j).  i,  J+ 1»  -  Sf_lhcii_cbc<i  =  j+ 1.  Null*  Kj^*cuc(3t«».  i.  J>*.  3G<c))) 

(3) 3G(FRONT(x))-.  Frort(3G<»)) 

(4)  X(KRKOR)  -*  Krror 

(5)  3€(if_(hcn_cl5*<h,  »f.  i^)  — •  if_thcn_cbc<k.  3G(»t),  %(«,» 

Derivation  of  the  first  rewrite  rale 

Form  of  ihc  theorem  to  be  generated:  3G<FRONT<<  v.  4  r>»  ■  XfMts,) 

3G<FRONT<< ».  i.  ,»)*:  Krror 
Rules  used  for  simplifleation: 

Step  (1)  Invoke  Synthesis  Rule  0)  on  3G<FRONT<<  r,  4  *>)) 

3fe(FRONT(< »,  4  »>))  *  Error 

Step  (2)  Pjtpand  Expression:  Error 
Using  Rule:  (4) 

3G<FRONT<<  ».  4  >»)  ■  3G(ERR0R) 

FRONT<<r,  i.  /»  — » ERROR 

Derivation  of  the  second  rewrite  rale 

Form  of  the  theorem  to  be  generated:  3G<FRONT<<  Asrignfv,  e,  &  4  /+  !>))  m  3GffthSj) 
3G<FRON1<<  Assign^,  r,  A,  4  »+l>))4:  3G (e) 

Rules  used  for  simplification: 
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Stef  (I)  Invoke  Synthesis  Rule (I) on  XfFRONI'K  Assignor,  e.  A  t  >+ l>» 
THY RONIKAsaicrfn  A  A «.  »♦  I>»  ■  JUti 


kKOVI«AHicn(v. r.\k  i+  l>)  - 1 


Derivation  ot  Ike  IkM  rewrite  rale 

Form  of  the  theorem  to  be  gener-ned:  X|l’RONI«.Viiici4AMi|i(v|.A 

X^kUON  r(<  \\N*cn<  VnucMne,.  A  /♦».(./+  2>|N : 

if Jhm_rtsc(i  ■  y+  2.  Fnoe.  If_lhe«_eh«1i 

From!  YrnfftmeOUC  t.  <./>).  e(»)> 

Rules  used  for  simplification: 

Stcpfl )  Invoke  Synthesis  Rule (I) 

w  RON  |«  VssifMAwlcM  w,.  A  tr  /♦  l)L «.  ;♦  I>»  a 

MLlhen_cHd'  ■  y+2.  Inn.  tfjfccn.riMO  ■  /♦  I.  Xlr^L 

fr— !(>■<■  rur(X«».  U  J>1  r1HW 


Step  (2)  Fxpand  Kvpmuon:  FrouK l^w«(X< v.  t  f>\  f,M 
Using  Rule:  (2).  Protocol  1 

TW  Update: 

»  =  /+2  —  Fata* 
i  a  /♦  |  Fake 

3MFRONr<<Aa*%n<A«%*..ri.  A  er/+  III  «./+2>»« 

K.lktii.tMf »  y-f  2.  Krm.  f.lk*.rt«t<i  ■  /+ 1,  THe}. 

Frmt(X«AM%n(>.  r(.  A  l»)» 


Step  (3)  Fxpand  Kxpmtton:  X<Mp(t,  e^A  l» 

Using  Rule:  (3) 

3MFRONTf<Aai|«Aa%»(  A  ^IU/+I>»« 

K.Rn.tM'  ■  >♦  2,  Knot.  ■  y+I.Xfr^ 

3KFRONTK  AnipRn  r,.A  «./♦  I>W» 


'  142- 


Stef  (4)  (  fnar 

I'vaf  Muir  (4) 


*0 KW  t  K  \Mk*  \m«4mv  A  er  /♦  II  «.  /♦  2>»  • 

J.iWo.rM'  -  /♦  S.  WIKMU  »  /♦  I.  Mr} 

*4»  «OM«\wco<^,.  A  <■  /♦  l>M» 


Step  (Si  K«|utd  •  /♦  2.  XONROtli  l,UwuM‘  *  i  ‘  I. 

JUIttONVK  Mftfcrtt.  rf  A  4/4  OHM 

Ruhr  |S| 


5M»  MON  f«  V-W*  A  rf  /♦  tt  t/4  2>»  • 

KCMmuiM’  •  /♦  t  (RUM.  «  /♦  1,  rr 

tMNVK  V  A  v /♦  !>»)> 


»  W»  n<  l««Rur  A  *y  /♦  a  4./*  2»  - 

(.AhliM*  »  /♦  2.  IRMM.  •  /♦  1,  «y 

FVOMIK  \*W«<  rr  A  t  /♦  i>m 


Staged 


mavr«..  riKM 

HtOMK  a  «.  *♦  l>l  -  e 

mOMK A  V+ a *>•  -  *  *  t*  1 •»' f*«0« 

(hrii*/4lfln^ 
t*rMIOMl<MolM*.rr  A  «./♦»>> 


I  n  FROVTH*t.  p*l.p«2>)  be  We  Irfl  hod  Mr  of  We  wyn  mptHocoMWio  We  me  a  AM 
ttknm awWo i *w Wt out  wawuij  tot w>W| We wp mpfeneiwloa far  ftwt  W««t 
ccmRNmmm  of  We  ntMkM  pratmai  aictftpd  and  We  iwniM  donmwaj  weWWL  a 
eonpoMoo  WanaWfkaWe  ton  leorbe  toleti  WewooctMpaflaHy.  i  teeaae  ware  Wai  Wlacaobe 
niOt  tint  a  tanpwWtoo  tm  MafWi  tic  mot  aod  We  Mai  mww  Mb  h  taemimi  TV 
two  cvmpBa*km  art  Rw  coatoiort  M  We  Mp  of  a  froato— Hierwi  apeWm»artnai*e 
tarpet  MafbHMMaiKML  Hole  ton  We  bonkM  0*0011  ctpfeMee  Wai  die fadertm  We  atponm 
woe  tort  nemymW|  o  We  Rni  leortu  nrfe  s  pMl  &  )Ml  Tleittat,  ft  faMef  bn  ^  We 
uryet  eoyfenumwiw  «  m  Mr*  The  fiyitow  Wai  uln  We  place  of  We  Hk  dan*  hole 


Ml' 


ifctrtMM**  wKkiute  mmtM  jU  *r  M  ir»w  Mn  «r  »nl*f4 

OnMfmifilt  l«f<  Nk«nMlM 

IROSIHm.  fNl.  iwiH  : >  I f*l  •  fMlrtratttOI 

Hmff 


lh*  *fc>  «***>#»  fcraatJbt  0k+  «cn4»  «*  <tomnMi  <*'  m  4ifl|  IW1  HtWi 

«ri»«wr  11A  *r  w*******  »l ,« tytr  *«  trftnttt «hr  AM<MWfMKH« 

•MMM 

|.*)ini4|WM>  i.||| 

(l)IM«aD|  .t 


!»>*>***,■  «*****>♦  <?•  HIMK  V*%4*.  *.  4  *.#♦  IH 

<*«*■»**»»«(  4VMI0.MVII 

N*>»>t*ul  fc*n»  «#  r  # 

Ritfc*  mw«|  *>»  m»y*<H«.>nKfc  S»o» 

Rtoftl)  !*<»’«  S»«IWw  I4i  (lit*  * 


l  «*f  *i*  Cll  1 


r  »  IM|VRp<«.  r.M 


Rtefltl  F«pwwi f ****** 
t**IMr  U) 


r«lM«nMKta^ai.019 


*«*t«il**U**»»l 


M* 


•  aS  MvMt*  lM(i  Vumttv  < 


rw  *mu»  *.*m  *ma>  **  **  tm*  ini****  <»*•<« «u4  tea*  Mr  4*m  <4  fft  umb* *■  4  <• IH  4 
tfw  .«tM«  IMIteKtiM  |Mi  |nc£H  (Mf|  «te«*  <**  ter  MM«*<fc4  «h 

*»**•.  (N*t)  Ite*  *  «w»  M«  «ter*  «  *  MU*  Mr  f«Uur  *.**u*l  «*** 

**><*#  *»»«  4U  «te««r  Mr  Mm4  ^^wr  M«#te  ^kntewwM^ 

tmefctwwt****  >teK»r,  tear  *  junwIMr  m»m»  mjkmtmm** tew  tUQteil  » 

tltJftltt**  prtl.  |m£>!  :  *  4m*I  *  **•!  ate*  IMKM 

iteMuKwMtl 


7.  CowNok  Mi  Future  Rcsnrdl 


**«<&<#***  fc*  «**#  btn  *mmmt  Nk*  mntrtw*)  «wo*  to  p»k 
fOfXHw  >4  4*»  Nfo  unI  to  on.1  Wh»l>  XN  twteWfw  <*  m*  «f  4 ixm  N 

Hm»  x**»  *«  *N  m*  <*  m0f*m**u0t  <***mmt  tor 

*» M»»k  4wM  Ity(v<»  *****  *****  XN«  «%kNn*  «*****'«****  In  *h»  ttu^n  wr  wh*mw*%N 
XN  **»<**  »M*MXN«UM**  «rf  XN  XN<N*  XNkNN  XN  4MV»o«HUM«  *********  XN  H<«UlK*  fclft  llUld 
**  to  **»# mmkIi  Jmttow*  fc*  N*XN*  tiwMd 

ON  w#  XN  WN»  nhtWMM  XM*  to  WO*  t*+*rfK*»(4  ***  0  <N  **«  «*  XN  ♦writh^ 
«.*  xNoMNftg  tW<#  ^INtXwNHUNN  XN  ****  to  XN  *«•*<*»  fto*««N*  fc  *  «**  NMHINNl  « 
*>p«ut  m  1NPMM  XN  4f*«XlW.MM0*  ®*  XN  *Np%WNWN4  (iftt.  **4  XN  «***  **.****  «X  *M  fht 
»NN  *#IN%  tky  WotoN  oX  c*  toO(N*J  N*  *<  XN  **r  °X  (*«  c«No(  *****  XN 
tow*)**>rfNww»  wX-ww#***  «ml  XN  NfW*M*XN*t  IW  i*kw*<NO»  t*  4wN 

i  in  RtKfi  hm*  m>i*  ***km  m  XN  nwmn*  |M.fXwwi 

IN  »MWMt**»NN*  m XN<*  XN  #nk>Moi*  **#»  irwxxMc  N  NXWWINI 

XN  x**f  No  N  «;inIMmI  to  <NIN|  m  NxXniNiwNN  *  N«:mm  *  *N**tf*  hMNmmI 
«NW*imw  V*  XN  n«NN  NWXWnXW  N*  «JNN*»  «l  *  *  NfcWMHX***  m  XN*  WXW  » 
rtTWfUN  MX  MvMNnI  «<**  XNx>  <«f  OMhN  «  |4IJ  IN  *nXNm4  JXtoNpw*  N  |X«|  c**»  XNo  N 
••INnnXNimI  .*  »  XNWHW  f»N»NXNN  *«***  *'»*  «NX  NNtpNwK  M*  **H#**J.  N****bI. 
*  to*  fxx***i  «*l  km  *0*mm  XN*  <**%  Numm  N  4c«*  *n  to*  XN  NnNixixi|*iiwn 
xtfewNufx*  N  <**N  *  <wn**n»  to*  XN  to*  <xf  XN*  *A*mm»e*  N  *  Nr«X  to  «r*eM*r 

IN  nhnnwucN*  toXNNy  *  xkx  fwonfxi  Kt*  *  ixW  to*  jxxrwwixmf  XN  <x  ****** 
ymwXNi.  IN  inn  xwrtNwi  mnnMjMN*  ««nl  N  #*  m**mrn  innxiINu  *  hxmwhbxi 
Nt  *****  m*  i  *51  tmmmm  «xn  nXNk«nn  n «m  nnmwnh  mm*mmn*t  -  «*«ft 

■  n  INN  j||^Lwk  Xkg*  NIMM||m||M 

XtnwNXN  xmwNowtwnN^  IN  wmmmsm  «<wNl  «*ww*xsw»  #*N  |w>New»  H  X» 
mum  #*  Ummmtm  *4  *N  <e*Ni  IN  yw—xN  **rtKr*X  «*ci  N 

INHIwfXn* n XN* *o* n<lNiHh  NXNcxxt  tmieUmg.  TM*teone<rf 

XN  MWMg  XN»  XN  «M»  «#  WNWWfcN  «NX  rf  XN  ifNNNl  fWWXlXt  <*  XNX  Of 
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MnpfcffKfititiufi  thrived)  nut  aformcd  in  fTJ. 

An  rntpufiiM  uwm  thuum  of  ihc  thru*  a  the  development  of  a  formal  basis  for  the 
flwtht%J  wvcvi  b>  the  syndic***  procedure  t  he  desclupoient  i*  influenced  significantly  by  the 
KchmgM*  imed  for  verifying  die  ctercwinctt  of  implementations  of  algebraically  specified 
tfciu  hpn  the  %ynihc*n  method  has  i*o  dnungurdung  features.  The  Hist  is  that  it  is  based 
on  the  general  principle  of  itsemng  the  techniques  of  program  verification.  The  second  is 
the  dtnMpjMM  of  the  (Nunkir  mud  two  lUgcs 

the  reverse  prt^nm  »cnfkatwn  principle  lead  in  to  vie*  the  synthesis  problem 
(sc*  chapter  41  an  one  of  generating  a  set  of  theorems  that  satisfy  the  synthesis  conditions, 
the  syathesm  ctmdniani  chir«xtcn/c  the  situations  m  which  a  set  of  theorems  of  the  input 
^paeMWatmnn  »  fmr.auced  to  yxtd  a  corral  implementation  The  synthesis  rules  provide  a 
means  of  generating  theorems  ham  a  specification  this  approach  to  synthesis  has  two 
uharaugc*  I  mil*,  a  nutn  the  formal  justification  of  the  ouToctnc*  of  the  synthesis 
method  wnpk  hmumne  the  synches**  cundiuon*  are  bated  cm  a  criterion  of  correctness  for 
thkHipn  *  allows  us  lo  build  on  the  research  to  the  area  of  program  verification  - 

pat  m  well  m  forum  tins  aututafty  mggnti  an  area  in  which  In  pursue  future  research.  It 
ccncurni  esiewdug  dm  theory  m  which  the  syntheses  procedure  operates.  Currently  it 
operate*  m  the  pm  of  ndwmc  theory  of  the  qxxdWatmn  that  is  decided  by  the  Musser/KB 
method  (set  chapter  4)  of  prosing  equanonal  and  inductive  properties  of  rewriting  systems. 
Tht  er tension  would  mrohe  dnelupmg  new  synthesis  rules,  and  new  ways  of  using  the 
syndrom  rule*  Ihr  generating  droorems  One  m^hc  lor  eumpk.  look  into  ways  of 
annmtkahni  the  pmof  ucfwuusm  used  by  various  verifier*  |S.  27)  into  our  framework. 

Modtr  ahanp  of  daeotr^anm  the  procedure  into  mo  stages  is  that  it  makes 
dn  procedure  more  modular  It  hokate  die  pan  that  is  dependent  on  the  target  language.  So 
mndUhatfom  to  the  target  language  can  be  made  without  drastically  affecting  the  synthesis 
procedure-  A  prwik  es tension  to  the  Proses  that  could  be  considered  h  to  incorporate  more 
cgatvalmce  preserving  transformations  nn  die  second  nape.  The  transformations  can  be 
cMTOr  of  an  efficiency  improving  nature,  or  tangunge  developing  nature  such  as  applicative  to 


•n 


to  chtracterinwg  foe  inputs,  an  important  oontribution  of  the  diesis  is 


H" 

Mi  A*++t+H*i+U'm  •#  M»  •#  N»  MuMoN  vw  Mc«* 

MrtmH»*MM  U*  •***»  «*.  ?  :*  M*  «u*«NM*Nfr  «*»  Mi  M|MM  <H«4  Mr  tftlWlMcM* 

*M**  i  ♦*♦****♦  »  HutM*  m  (HMuiM*  *  «  *wwM 

■*  N*-  »»*»*«»-  >*  M  liMM  «**fr  •».*.  Ml  *v*M*M  MrtMiM 

***  *•<**  **  »v  «*Mu*  M»  M#i  mh^  *<*#  c#>  t+MgruM 

*n*M-»t*  to*  «.  ,  M't*  !•*-  i#t*M>  Hv  «t<*#  HttMMN  M>  fK<tn< ttwmiW»  <#N 

M'H»tthvtv>-  *  ****«♦- 4  h«MH-  •►’  «•  «tt*«  H  M'N***  frvt>M»'»>>  *«♦<  M  MM*mHMu4  ♦** 

«V  i.M.«*I«n  «**»->*  1*'  Ml  %*hW*««M  fHMwMin  4 '(Vim* .*  M*  WHMmM 
wiMh*  >1  M-  m»N.w»»tl»*Ui>»v  MhimM  «h*  Mi  mu*  *H  *rtHM  #w<  MHtMrtM 

"M-  **m  *wt*  •»  <■  m  Mi  M»HM»nfr  4*t*MMm  «<*m»  Mm*  M» 

tMV  t*WMMN|  NHW  •»  mMUMi  tMt  4*MM*  4*  M.*v*  M  *  M  Ml 

t****.t  **►*♦■  *•  ♦«*»  *r  •**  »tiwNW  -ttvHttii  4MM*  •*»  Mi 

#*<w»M**v-  yfttn  to  » HM  **  -  ***  «M  M-  Mm  tMitototo  *►«**  H  nM**  t*tfH<«M4>rtivt  (»()» 
«to  M  IHWWtl  *»  »****»»  M  IllHM  totoMM**  N»  MV  tHMt  <%to  <** 

■ » ■-  Mv  ^  N  _  .til  ilNIliil^il  II1>m  i^NIMa 

"*»  ffHWM 

Hn-tHMt  «-wtv»Kv>  ♦  «.  «a«m-  <»«*>»  m»  •»■  M>  toiv<H**H-  MfttotowMtoto  wvAMHM  M  Mi 
'**»"  it*'*  •  «*••♦*««*  tM  ittHMf  Mh*  M«nii  JV  ttwnHV  ***  *  H**<  m  •*+  *1*  Mi 

*•  «— H"»  M-  Mt'fruw  gmnlH'l  tHuK'  #  MMto*  -t*  »<  w»toM»  M  V 

»WM  Ml  M t-WM  HI  Ml  ■  »IMM  <•♦««*•*'  **•  MUM  I  MMUr  M  m*K*  m>*W  F  f  MM» 

^^AvAlt  IAa^^HAM^I  jAA^^^AI^^.  #N3f  MUtAAAAl^M 

tw^T  *T*  *  ■  ••M"1  WMM  t*PM»  W^T  ▼  l^ff’  v 

u.  iit^gj^^iAA  At  A,  4a  —  *■  *  -*-—  —  -  Mill 

1  *  ”  ^  1  *  Tma’I  “  W"1  WtW  •»* 

MMmmmM*  Mm*  *  M»N>  NMMMMMM  «T  -  f  mmUM  M  WMMM  V  i>M«»  NM*» 

MM  ■*'  <WW'<WlM»  -  «M*  MN'Mill'  tIM'NMfli 

"gN^  ^uuv|M  aMa  aJV 

”  '• 1  ^  wf*1  '! *  *f  '  W 
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automata:  performance  wutyin  of  the  implementations.  There  is  some  recent  work  being 
June  w  titii  area  w  (30)  that  ts  compatible  with  algebraic  theory  of  data  types.  It  would  be 
Mtemung  to  mtougaie  the  interaction  between  our  work  and  that  of  (30). 

file  nun  reason  for  choosing  an  a) national  language  to  e&press  the  inputs  was 
bnauMc  of  the  bench*  M  often  from  a  proof  theoretical  point  of  view.  Equaiional 
rpwvilWuoum  »m»c  general))  been  (bund  hard  lo  write  Thk  is  one  of  the  factors  that  reduces 
We  pffwtwal » Jut  of  the  procedure  It  would  be  useful  to  etiend  the  synthesis  procedure  to 
«t«p  eniAakwi  m  a  tupigt  iRm  n  easier  to  »r*e. 

the  Mm  Wat  the  pd  of  dm  research  in  program  synthesis  (and  program 
•rniliiSM)  <MN  me  ami  sanme  l«  to  rchm  the  programmer  completely  of  the  burden  of 
-grmmsmg  IkaPe*.  a  had  be  »  help  m  gam  a  better  tnsighi  into  the  science  of 
pauge  wnwmg  IN  tmtghi  pwaad  <tw  be  uMhred  m  several  ways  that  arc  peaetkahy  relevant, 
me*  a#Mi  itwgs  t*  mm  piqpiaummg  tagwgcv  and  m  the  devetupmem  of  program 
smammung  awl  pmgmm  dkwrtopmcM  (It.  4f .  1 1)  *****  We  betitvc  that  our  work  can 


( 
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Appendix  I  -  Equations  as  Rewrite  Rules 


Automatic  verification  of  data  types  that  are  specified  cquationally  is  often  based  on  treating  the 
equations  in  the  specifications  as  rules  for  rewriting  expressions  that  have  certain  patterns.  The 
automation  of  our  synthesis  method  also  relies  on  such  a  treatment  of  the  specifications.  This  appendix 
describes  the  basic  concepts  about  rewrite  rules,  and  some  useful  properties  of  sets  of  rewrite  rules. 

We  assume  a  denumerable  set  (♦I  of  elements  called  variables,  and  a  finite  set  £  of  function  symbols. 
We  define  expressions  and  constants  over  £  as  follows.  (The  formal  definition  is  similar  to  the 
infonnal  one  given  back  in  scc.3.3.1.) 

Expression 

An  expression  is  either  (1)  a  variable,  or  (2)  a  function  symbol  f  followed  by  a  sequence  of  n  ^  0 
expressions  e,, . . . ,  eB.  f  is  called  the  (main)  function  of  this  expression,  and  . . . , 0,  are  called  the 
arguments  Such  an  expression  is  written  fie,, ....  cj.  An  expression  with  no  arguments  is  written 
as  fi  ).  We  denote  the  set  of  expressions  defined  over  £  as  E(£). 

We  assume  it  is  possible  to  test  variables  and  function  symbols  for  equality.  Two  expressions  a  and  fi 
are  regarded  as  identically  equal  (written  a  *  fi)  if  and  only  if  they  arc  both  the  same  variable  or  they 
have  the  same  main  function  symbol  and  the  same  number  of  identically  equal  arguments,  in  the  same 
order. 

The  variable  set  of  an  expression  a  is  {o}  if  a  is  a  variable,  otherwise  is  the  union  of  the  variable  sets 
of  the  arguments  of  a. 

The  subexpressions  of  an  expression  ate  (1)  the  entire  expression,  and  (2)  the  subexpressions  of  the 
arguments  (if  any)  of  the  expression.  Expressions  which  are  variables  have  no  expressions  other  than 
themselves. 

Constants 

A  constant  is  an  expression  that  docs  not  contain  any  variables.  We  denote  the  set  of  constants  over  Z 
as  T(£).  The  subconstants  of  a  constant  arc  (1)  the  entire  constant,  and  (2)  the  subconatants  of  the 
arguments  (if  any)  of  the  constant. 

Occurrences 

An  expression  can  be  represented  naturally  as  a  tree  structure:  The  main  function  symbol  of  the 
expression  is  the  root  of  the  tree:  the  arguments  of  the  expression  are  the  branches  of  the  tree.  This 
analogy  can  be  used  to  devise  a  notation  to  identify  unambiguously  the  subexpressions  of  an 
expression. 

An  occurrence  in  an  exp  ration  is  a  sequence  (possibly  empty)  of  positive  integers  that  denotes  the 
path  inside  the  tree  corresponding  to  the  exprarion  that  runs  from  die  root  of  the  tree  to  the  root  of 
the  tree  corresponding  to  one  of  the  tubcxptvsrioos.  We  denote  the  set  of  aO  occurrences  in  an 
exprasion  e  by  0(e).  We  use  the  fofiowing  notation  for  denoting  an  occurrence:  A  is  die  empty 
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occurrence,  and  if  u  h  an  occurrence  and  I  it  an  integer,  then  La  n  the  occurrence  (hat  hat  I  at  its  head 
and  ujmslu). 

lhc  subexpression  or  an  expression  eat  the  occurrence  u,  denoted  hr  e /it.  k  defined  at  foBowr 
If  u  =  X.  then  e/X  =  C 

Iftr  =  Lw()  £i £ a).ande  -=  fee, . tjk thene/ir  =  e/w 

For  example.  suppose  e  -  Ennm(Dn»t«t<Nit|(  D.I).  then  e/I  =  Otpwt(NdhO)i 
e/2  =  I.  e/1.1  -•  NnlMX 

Suppose  u  is  an  occurrence  of  e.  Then,  wc  use  die  notation  ((»•■■  e  *  |  to  denote  the  expression 
obtained  by  repricing  in  e  the  subexpression  t/u  hy  e* .  For  instance.  suppose  e  is  the  vane  expression 
a  in  die  example  given  above,  and  er  -  Nnllgt  X  then  C|1  —  e ' )  tv  Fnniwcnc(NnHn(  X  0 

Safest  Mol  lom 

I  ct  o  be  a  mapping  from  variables  to  cxprrvuonv  such  that  o(v)  ■  »  fen  all  but  a  finite  number  of 
v.i rubles  t.  F'xtcnd  the  dunum  of  0  to  the  set  of  alt  exprcvuom  by  defining  «(feet, ....  c,))  10  be 
fe0te,X  •  •  • .  0tea)).  Such  a  mapping  a  *  called  a  subuttulkm  (of  crpmuam  fin  vjiuhtes)  The 
notation  0  ■  |v,  —  e,.  ej  mil  he  used  to  denote  the  substitution  0  such  dui  ett,)  m  ef 

for  I  i  g  n.  and  oft)  ■  f. 

We  say  that  an  expression  0  has  the  form  of  an  expression  •  if  (here  exists  a  subuNutnw  0  such  that 
oia)»p  For  example.  AppctnKNn>j().  ljfK«c(s.  0)  has  the  form  of 
Appcadfal.  Emtaewcfoi.  12))  by  the  Mihstnutnm  0  ■  |gl  —  NwMgQ.  g2  %.  12 --  i)  Notice  that 
has  the  form  of  is  not  a  symmetne  relation. 

Rewrite  Rales 

A  rewrite  rule  n  an  ordered  pair  of  expressions  (1 .  RX  such  that  die  variable  set  of  R  n  contained  la 
lhc  variable  set  of  I.  Usually  (I,  R)  xlfl  be  written  I  -*  R  A  finne  set  of  rewrite  rules  over  a  set  of 
function  vymboh  £  tv  called  a  rewriting  system  over  X  let  R  be  such  a  rewriting  system. 

An  expression  a  n  reducible  with  respect  10  R  if  there  aarvlcl.  —  R  in  R.  and  an  occunenoc  a  of  a 
such  dial  a/u  has  the  form  of  L  l.ct  0  be  •  subsntutun  such  (hat  a(U  ■  a/a.  and 
0*  aja—  afRfl.  fhen  wc  say  that  a  directly  reduces  to  0  ( using  R).  and  wtitc  *  »m  0  (using 
Rl  Where  the  particular  R  in  me  n  dear  hunt  the  context,  this  ndl  be  written  simply  as  a  —0.  Ifa 
a  not  reducible  with  respect  to  It  then  we  say  a  is  trrwfeicfMr  with  respect  to  It 

l.ct  -**  be  the  smallest  relatino  on  pahs  of  expresrtuns  which  to  the  reflexive,  transmit  closure  of 
Thus,  a  —*0  if  and  only  if  there  cxiM  expreatoas  <^air . . . , ar  where  n  £  0.  such  that  a  •  ay 
a,-*  a|4|  fori  =  Cl...,  ml  soda,  ■  0.  We  read  a  —*  0  mm  reduces  to  0. 

Suppose  a  -•*  0,  and  fi  is  irreducible.  Then  wesay  dut  a  *mpHfin*o0  0  headed  a  normal  firm 
of  a.  We  denote  the  normal  form  at*  met.  A  rewriting  symem  R  has  die  unique  temdmttm 
property  (UTP)  if  die  shopUfles  relation  defined  by  R  h  a  fenettoo;  (ha  h.  every  expression  hat * 
most  one  normal  form  in  It 
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Appendix  ill  •  Proofs  of  Theorems 


Ifenmi 

I  a  S  It*  iK*  *4JUV*dv  pnatflf  of  ikfhiimi  I  ct  *,  e  C,  be  an  equation  so  that  e,  and*2 

t#*«  a*  fcant  vme  huioa  »>mbol  m  thorn  Then,  (jltj  ii  i  theorem  of  S  if 

S  U  |»„  - •  e,  J  ♦*«*«  »Wo  *c  fWMktptr  of  drflnium 

IW  IW  f*wrf  *  ►>  (nwWiitiM  t  cl  i*  amrere  that  S  U  le,  -  t]}  soudle*  the  pnnciplc  of 

Ailtwtii*,  BMC,  -  f;  *  w*  « theorem  «rf  $ 

If  »(  i  »,  »  m  J  *c*<rem  of  s,  thru  there  ere***  a  vubttMuticM  «  (hat  maps  variables  to 
*viK*:*a»r  k'tMWioh  w  fa*  *h,)  and  «|r  j)  have  dm  met  normal  forms  m  S  Since  S  satisfies  the 
ptu***  »i *<r()  md  #4*$)  have  wmgwc  normal  form*  that  arc  generator  constants;  let  the 
nmM»  lam  N  I,  and  I,  toteond)  if,  d  1,1  Note  Ih4  «f(j)  and  vac?  arc  distinct  from  t,  and  tj, 
n ****»mh  h«.ww  M*  (mo  r«w  are  jeacra**  cumuru*  while  the  farmer  two  ait  not.  Therefore,  in 
Ufa  wnwSu  |r,  *«  »,|  •«  Have  fx  Mfawvnp vmuuon 

*»!  *  «<t J  “»f  *4*,)  ■'*,  andl,  dtt 

flbm.SU  I*,  •  *||  viofanr*  far  >wn»|f  of  Jeftmuon  Contradiction. 

Q.KD. 


IfeMMB? 

f®  m  a  hitwhil  herti  Snppure 

III  »,  «  an  tvpmn  w  fm  far  eret>  wbiBXiun  •  of  vartaMn  to  pcncrator  constants  « (c, ) 

*  tnk  M  mM0  rw  ani 

fh  fOr  u  («,  —  *tl  rmnnimi 
fan  »,*»,*  .*  fawnoffW 

Flnf  rtsomoym  Three***,  to  show  dial*,  m  *j  ha  theorem  ofFW.  w«  hare  to  show  that 
fa  r*h  rnfareurewn  •  «f  far  <a»Mn  m  *,  and  «j  by  ferntwh*  term  of  the  appropriate  type.  *  (*,) 
and  •Ntlhm  far  taut  normal  farm 

The  proof  *  fry  (wwtifcfat  In  os  mppore  Out  PW  U  (e,  -#  *2|  b  convergent.  but 
*,  m  *|  h  not  a  fatrown  of  fW  Ufa  wmv  facie  nfa  s  •  inch  Out  f,  *  *fe,H  and  Ij  *  ofe2H 
m  Xuv  >y  far  me  and  prendre  of  far  fatwrem.  facrefare.  we  hare  fac  fahowint  situation  in  PW  u 

#  f*,l- •*!»—*  t, 

*  A 

There***  ft  U  {*,  — *  (,)  ii  not  vonreifent  Notice  far  need  far  fac  second  premise.  If 
«tMw  here  fan  prendre  if*,)  conM  be  idenBeal  to  tj.  *  which  car  PW  U  {e,  -*  e,J  is  still 
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II  +.r  >** 


iiiiMi  >hk  yim.wiw  #i  . *  ».  . »**mtm* 


♦i  4»<***‘*** 

♦  I  H-te**  »hMtv«^v< 


«*#>  •*!  *t:  •  *•**•*<•*»’  -♦•i  ♦ 


t#M>  A'#'  MtHUHldM  Him<H  iH4<  |V»V  4-  ^  4l#  *  W  *M»  •##!**  tN#« 

•  %.»>*  4*m*  •  •  t«nr  ntiHMt4  ♦**  '4Hf*MEMu<  oft******  Nh^t*  4M*  »vr»  MtlllMIt*  4w  4 

mw^tnwni 


r  *»•»«*  *  4  »»»♦«•  •  *.«**** 

*<*.«».  *.  >«*«<»  1  ■*•  -fill  'NK»i«»t»  >«(»«•*■ 

»WMl  i>*  •'*  >Wt»  fc»H'*iM»i|  i  *'**►  <W>»<I4»M> 


m*9-  **m  4H*  -*<»  «*»  «m*l»  *M»- 

•  MU  .  HtHMuMi'  .#*»«.# 1 4«#>-  M*l  •  •tfrt'iMM'  <*!*•  #*•#' 


VM  •  ♦  - 


L 


